On March 14-15, I attended a workshop co-hosted by MForesight and the Computing Community Consortium (CCC). MForesight is a federally-funded consortium focused on accelerating technological innovation to enhance U.S. manufacturing competitiveness. The CCC has a mission to “…catalyze the computing research community and enable the pursuit of innovative, high-impact research.” These two organizations have come together to address the need for improved cyber security for manufacturers.
The invitation to the workshop described the intent as being “… to give invited cyber security experts and leaders from the private sector, federal government, and academic community in attendance an opportunity to contribute their knowledge and expertise to clarify manufacturing-specific cyber security challenges, identify emerging technology solutions, and define action items.” Further, the stated objective was “…[to] provide actionable insights and recommendations that, if implemented, will benefit manufacturers of all sizes.”
To provide some initial structure for the workshop the organizers proposed an agenda that would address a combination of key challenges and types of response. The challenges suggested were system-level security, integrity of manufactured goods, machine-to-machine security and supply chain-to-factory security. Response areas included intelligence gathering, adversary assessment, and intelligence sharing.
Approximately fifty people attended the workshop, representing a mix of government, consulting, academia and private industry. Private sector participation was modest. The Dow Chemical Company, Corning, Lockheed Martin, Boston Scientific, and several smaller firms were represented.
Kevin Krieg gave a keynote talk to open the workshop. Mr. Krieg is a former Under Secretary of Defense for Acquisition, Technology, and Logistics. He described the current cyber security situation as being similar to that of quality in the 1980s – predicting that we are on the verge of common acceptance of the need for improved security as an essential element of business strategy. To convey the urgency he made statements such as “Do something now or wait to be regulated,” and “Adapt or get run over.”
I found the statement about possible regulation to be particularly interesting, since I heard almost the same statement from a government official in a meeting hosted by the Department of Commerce in 2002. We can only speculate about the potential for this situation, given the current “anti-regulation” climate in Washington.
Mr. Krieg also stated his opinion that “Industry and government get it, and academia is thinking about it.” He suggested that now is the time for partnership and collaboration to improve awareness, establish principles of operation, define standards and metrics and identify and promote early adopters.”
As I listened to Mr. Krieg’s comments it was not clear to me that he and the organizers were fully aware of the activities and initiatives that have been under way in this area for several years. We have developed industry-specific and cross-sector standards and practices, and have been sharing information on effective responses in a variety of conferences over the past several years. Even with all this effort, workshops such as this one clearly show the need for further outreach and engagement.
The workshop portion of the event took the form of a series of smaller breakout sessions, each addressing specific challenges and responses. Individual subgroups then briefed the larger group on their observations and suggestions. The organizers will be using all this information to produce a summary of the workshops for those in attendance, and to provide guidance for their future work.
In the breakout sessions in which I participated, there were few if any true revelations. Most of the issues raised are fairly well known in the industrial cyber security community, although some still lack definitive solutions. Observations included the need for scalable and flexible security solutions to meet the diverse needs of the manufacturing community, as well as the need to protect sensitive and proprietary information while still allowing the necessary level of information sharing.
While there may have been few “A Ha!” moments during this workshop, I was pleased with and encouraged to see the degree of collaboration between the stakeholder groups represented.