T. Watkins
Schweitzer Engineering Laboratories,
United States
Keywords: Novel Technology, OT SDN, Schweitzer Engineering Laboratories, Critical Control Systems, Cybersecurity
Summary:
As a nation, we must speed up how we bring new technologies to market; Especially when considering cybersecurity needs of our nation's critical control systems! Our adversaries have years to developing technologies, understand modifications being made in standards/frameworks, and access to publicly accessible regulation. They use this time to discover gaps and seams to create threats. Adversaries develop and mature new tactics, techniques, and procedures long before the innovation is ever implemented! Using my journey with Schweitzer Engineering Laboratories, Operational Technology Software Defined Networking (OT SDN) since 2013, I captured "lessons learned" of bringing a novel technology to market and then to implementation. This discussion will capture these lessons on how both the manufacture and customers can begin moving new technology to market at “cyber” speed vice spending years in paperwork and politics. Novel innovative technology requires acceptance into standards/frameworks. Standards/frameworks become codified into regulation. Regulations allows acquisition. Acquisition allows for the technology to be implemented into specification and designs. Before specification and designs, there needs to be training and certification to the customer, integrators, and maintainers of the technology. In order to inform anyone of the innovation, a sales channel has to be developed. The following questions would be approached with the intent of reducing time, vendor and customer capital risk, and customer acceptance faster than our current models: How can a customer begin to specify or design a system with a new (unproven) technology without acquisition acceptance, training, certification, and thorough understanding of how this solution will help meet both operational and cyber requirements? If a new technology doesn’t fit perfectly into a current standard or framework, how can a vendor and government modify existing security controls faster so regulation can be updated? What are ways that we can reduce vendor risk to become more aggressive with innovation? What are ways that vendor's speed up the process of device qualifications or independent assessments? How can we reduce the cost of all of the above so that it doesn’t significantly increase the price of the product? What are ways customers can adopt technology without increasing risk (unproven technology, testing, lack of confidence, and training)? How do you prepare and develop a sales force, integrators, consultants, and maintainers on innovation that hasn’t been adopted into specifications and designs? Without even including the R&D process and capital risk involved in creating a new technology, how can we significantly reduce the 7 to 10 years of process to finally implement a novel technology? Critical control systems are not replaced (in service for 15 to 30 years) on the same timing cycle as information technology systems (3 to 5 years). The most innovative solutions could take decades to implement. What are ways that we can introduce novel technology into new or existing systems without increasing operational risk?