Full Report
The week of 9/11, I was in Houston along with 40,000 others for the ISA Expo. On 9/9 I was made an ISA Fellow. On 9/10, we held two sessions on CONTROL SYSTEM (there was no such term as OT at the time) cybersecurity that were well attended by the engineers with minimal IT attendance […]
Analysis Summary
# Main Topic
Historical observations regarding the nascent state of Control System (pre-OT terminology) cybersecurity awareness, highlighted by events surrounding September 11th, contrasting early engineering focus with lingering industry failures to adopt crucial security lessons.
## Key Points
- Specific cybersecurity sessions focused on CONTROL SYSTEM security were held in Houston the week of 9/11 (September 10th) during the ISA Expo.
- These early sessions attracted strong attendance from engineers but minimal IT presence, establishing control system security as a recognized business imperative for operational continuity ("you can’t make things if the control systems don’t work").
- The author notes that key lessons from 9/11—connecting the dots, lack of imagination, and needing multidisciplinary teams—have historically *not* been learned regarding control system cybersecurity.
- The author was scheduled for a tour of NASA’s Johnson Space Flight Center on 9/11, which was subsequently cancelled.
## Threat Actors
- No specific malicious threat actors, campaigns, or attribution are mentioned within the context of the ISA Expo sessions or the immediate 9/11 events described.
## TTPs
- The context describes historical industry behavior and operational necessity rather than specific adversarial TTPs.
- The narrative focuses on the *defensive/awareness posture* of the time, noting the focus was on physical operational integrity rather than known cyber intrusion techniques.
## Affected Systems
- **Systems Discussed:** CONTROL SYSTEMS (the term OT was not yet prevalent).
- **Affected Audience/Community:** Engineers attending the ISA Expo sessions focused on control system security.
- **Specific Incident Impact:** A scheduled tour of NASA’s Johnson Space Flight Center was cancelled due to the 9/11 attacks.
## Mitigations
- The primary "mitigation" highlighted is the recognition by engineers prior to 9/11 that **control system security was a business imperative** necessary to ensure production continuity.
- The author implicitly recommends applying the three major lessons from 9/11 to control system security: improving **dot connection**, fostering **imagination** regarding threats, and establishing **multidisciplinary teams**.
## Conclusion
The provided context serves as a historical marker, demonstrating early recognition of industrial control system security needs among engineers at the ISA Expo just prior to 9/11. However, the author suggests that the fundamental security lessons derived from the national trauma of 9/11 regarding proactive defense and holistic security thinking have largely been ignored or insufficiently applied within the control system domain in the years since.