I am just returning from Washington, DC where I had the privilege to attend and present at the Control Systems Cyber Security Conference. I have attended this annual conference several times in the past and it never fails to attract some of the brightest minds in the field. Over three days the single track conference featured speakers from government, vendors, end users and security researchers.
Industrial Control Systems (ICS) are at the core of many of our critical infrastructures such as electric power, water and manufacturing. Inherently designed to control physical processes, these systems are greatly reliant on information technology. In fact, there are many similarities in the security challenges faced by both ICS and IT systems. These systems are increasingly networked and employ common technology platforms. While several recent events have raised the profile of cyber security for these systems the community represented at this conference has been working for much longer than that.
I was invited to share Microsoft’s perspectives on ICS security as many of these systems are built upon the Windows platform. Furthermore, many of Microsoft’s experiences with securing our products and services can be applied in this field. My presentation focused on three areas: secure development, device security, and response. Specialized ICS software vendors benefit from process like the SDL to reduce the number and severity of vulnerabilities. As with IT systems, it is critically important the ICS computing devices are securely configured and employ current mitigations and protections against ever evolving threats. ICS have a long lifecycle and stringent uptime requirements making applying security updates challenging. The information provided with Microsoft security updates help ICS operators make proper risk management decisions for their environments.
Control systems are often behind the scenes but must be included in cyber security plans. They are crucial component of our critical infrastructures and require collaboration from across industries to secure. Lastly, I do want to acknowledge the many individuals and organizations in this field that are working tirelessly to protect these systems and their associated infrastructure.