“You get the right person with the right capability committed to this and it’s a game changer,” Rogers told the Summit. “My concern is it’s just a matter of time.’
Eric Cornelius, a former ICS-CERT official, said that operators in critical sectors including power, water, oil and gas sometimes do not implement security fixes recommended by equipment and software manufacturers in a timely manner because they need to take plants off line to do so and cannot afford the downtime.
Some plants lack sufficient security staff and technology to protect networks because they don’t have adequate funds, said Cornelius, director of critical infrastructure for Cylance Inc.
A relatively unsophisticated hacker whose goal was to probe a network could unintentionally damage a system because aging networks are fragile and extremely sensitive, he said.
“That leaves these control systems insecure,” he said.