Now that the RSA Conference is a pleasant memory, I wanted to reflect on the newly renamed Physical Security and Critical Infrastructure Track. In response to growing interest in maintaining the security of power plants, chemical facilities, pipelines, transportation systems, and many other industries dominated by industrial control systems and related equipment, RSA Conference organizers added “Critical Infrastructure” to the title of the Physical Security track, which had previously been the home for this field. There were also more sessions about the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) standards and Smart Grid as well as traditional physical security topics. Additionally, the session I moderated, called “Hacking the Smart Grid,” found its way to the Hackers and Threats Track, while the Governance, Risk, and Compliance Track hosted CIP Take 2, led by well-known control system and cyber security professionals Joe Weiss and Jon Stanford.
The message from the attendees seemed to be that they wanted interesting and provocative sessions that taught them something new and gave them something to take home with them. Few were attending sessions just because they worked in that industry or needed to “study up” on a particular issue. While control systems have some unique traits in that they manipulate more than ones and zeros, it quickly became clear that information technology and operations technology are well on their way to merging. The electronic attacks for each are surprisingly similar, and while the consequences can be more severe for the latter, we all are better served by developing a strong understanding of both. So, perhaps for future RSA conferences, we need more of that balance. On the one hand, we absolutely need to see the newest advances in cryptographic research and vulnerability exploits, but on the other, we need to see that there are real human consequences when attacks are launched or even attempted. When someone decides to create some mischief by messing with a pressure valve or a breaker, you can’t just restore from a backup tape and be back to normal. More often, malicious hackers aren’t just playing games; they’re playing with lives.