Say it ain't so Joe!
There were 19 attendees. The session was disappointing as there were no attendees with control system experience – it was an IT audience. Consequently, the discussions focused on securing Windows. However, it was so focused on traditional on IT experience that when an example was provided of actual control system field implementations (older, unpatchable Windows systems that cannot be replaced), it caught the attendees off-guard and they didn’t know what to do. They were not expecting that unintentional threats are critical to securing control systems. When discussions focused on what security control system vendors are providing (HMI and field devices), the attendees did not understand why security was not a primary design criteria or the difficulties in implementing secure control systems. There was also little knowledge of the control systems standards organizations and why IT standards were not directly applicable. I realize this may not be a typical representation of IT personnel working on control system cyber security, however, one wonders how much progress actually has been achieved in understanding the unique issues of control system cyber security.
It would be interesting to see the attendee list to see just who these "IT" people were.
But rhetorically (meaning how you would want to win the argument or get your point across) it doesn't make sense for those in the control systems security community (if in fact they want to be taken seriously) to continually dismiss "IT" (which basically means anything that is not control systems) as irrelevant and complain about "IT's" ignorance "SCADA Security" standards efforts.
To put it more bluntly, imagine if you walked into a meeting trying to engage in dialog with folks that consider themselves experts on a given topic. If the first thing you do is tell everyone in the room is full of shit and what they do know is not relevant to the problem at hand, how can you expect to be taken seriously?