I saw the announcement for the SecurityWeek ICS/SCADA Cybersecurity Conference with the caption “The original ICS/SCADA Cybersecurity Conference”. The announcement stated:
“Since 2002, SecurityWeek’s ICS Cybersecurity Conference has been the conference where ICS users, ICS vendors, system security providers and government representatives meet to discuss the latest cyber-incidents, analyze their causes and cooperate on solutions.”
I thought it might be worthwhile to provide some historical background.
In 2000, I helped start the EPRI control system (the term OT didn’t exist yet) cybersecurity program for the electric utilities. The EPRI program held cybersecurity workshops, but they were only open to EPRI program members.
In April 2002, I left EPRI and went to KEMA (now DNV) to start their control system cybersecurity program. As there was no “open” control system cybersecurity conference, I was encouraged by many people in and out of the utility industry to start one. Consequently, in July 2002, under my direction, KEMA held the first control system cybersecurity conference. We had no idea if the conference would be successful as all other cybersecurity conferences were for IT, while this conference was specifically targeted to the control system engineers, although we did welcome IT attendance. We were successful, as there were more than 125 attendees.
As a result, we decided to continue the conference. In 2007, I left KEMA to start Applied Control Solutions. Because the first six conferences were under the KEMA banner, I got permission from KEMA to continue the conference as the ICS Cybersecurity Conference. I had been moving the conference to different venues where we had the opportunity to tour nearby national laboratories and in the Washington DC area where members of Congress addressed the participants and received feedback about what was really happening in the field.
In 2012, I was invited to the TransAtlantic Cyber Summit hosted by the Georgia Tech Research Institute (GTRI) in Dublin, Ireland. While there, I got a commitment from GTRI to host the ICS Cybersecurity Conference which is why the conference was moved to Atlanta. In 2014, I was invited to make a presentation on control system cybersecurity at the Kaspersky Cyber Analyst Summit in Punta Cana. (Mike Lennon from SecurityWeek was there, although I did not know him at the time.) In 2015, I was not able to continue the conference because of other work commitments. Consequently, I issued an Unfettered blog stating I was going to defer the conference for a year.
As a result of the blog, Mike Lennon approached me about buying the conference. As Mike was coming from the IT security community, I thought it would be a winning proposition to have his IT expertise combined with my control system expertise. Unfortunately, that didn’t work out, and my last appearance was in 2017.
In summary, the ICS Cybersecurity Conference started in 2002 as a cybersecurity conference for the control system engineers. SecurityWeek was not involved until 2015 at which time the focus changed. My last participation was in 2017.