Since the 2010's "Stuxnet" sabotage attempt, cyber-security of industrial control systems (ICS) or "SCADA" has become a buzzword in industry. The (cyber-) protection of the critical infrastructure became a focal point for governments. Vendors and manufacturers have pushed "Industrial Security" appliances onto the market, or claim that their products are now with "enhanced security". A cacophony of standards have emerged, and certification schemes are offered. But does this help? Given the increasing interconnectivity of ICS (SmartMeters, later the Internet-of-Things), shouldn't the direction be more towards standard IT than sticking to a dedicated ICS IT? Why is it that I can patch a computer centre over night, but not a control system within a year? This presentation will not give the answers but outline why control system cyber-security sucks and which hurdles we encountered to handle ICS cyber-security like that of our computer centres' A change of paradigm is needed, and this change must start with people and not with technology.
Stefan Lders, PhD, graduated from the Swiss Federal Institute of Technology in Zurich and joined CERN in 2002. Since 2009, he has been heading the CERN Computer Security Incident Response Team as CERN's Computer Security Officer with the mandate to coordinate all aspects of CERN's computer security - office computing security, computer centre security, GRID computing security and control system security - whilst taking into account CERN's operational needs. Dr. Lders has presented on these topics at many different occasions to international bodies, governments, and companies, and published several articles.