SCADA Security Talk

This would be my first visit to Nanyang Polytechnic. I was there for the SCADA Security and Controls event organized by (ISC)² and AiSP. The venue was pretty nice. I think I would have loved my JC to have been like this. The polytechnic seems to be quite serious about the H1N1 precautionary controls, with smart card readers, infra camera scanners, automatic sticker dispensers, etc. The seminar itself, however, was a little disappointing.

Who do you think would be attracted to an event titled “SCADA Security and Controls”? It would have to be people who know enough of SCADA to understand that it presents security risks to infrastructure. That is precisely why people like me wanted to attend, to find out what mitigation steps we can take, what others are doing, what new developments are happening, etc.

It turns out that the speakers were mostly stating the obvious. The obvious things that we all already know. The necessary steps to improved security that are so generic that they really apply to any environment, nothing even remotely SCADA specific. I’m quite surprised by the lack of substance. Can you imagine trying to teach IT security professionals the fundamentals of patch management, network partitioning, etc.

I suddenly realized I could label myself an expert in SCADA security. I don’t really need to know anything about SCADA. I just need common sense. Can someone pay me to fly all over the world to tell people the obvious?