I continue to be very concerned that both private sector and public sector policy-making organizations (square peg) simply don’t have the control system cyber security technical depth to be making decisions about cybersecurity of control systems (round hole). There have been many documented cases where applying IP network mitigations has caused very significant problems to control systems and control system field devices. This is not just a US problem. Recently, Germany’s cyber security policy-making organization (square peg) conducted tabletop exercises focused on power generation without any input from the power generation engineering organizations (round hole). Control system cyber security training that includes unique issues like process sensors, system interactions, and common cause failures are needed to educate both the workforce and policymakers.
