"You have two different mindsets," Weiss said. "IT's mindset is security for the sake of security. They don't understand the physical manifestations [in an ICS] of doing something that may be perfectly fine on a desktop."
IT vendors started rushing into the ICS security market after the federal budget cuts that took effect March 1, Boyes said. The cuts, called the "sequester," marked an opportunity because they did not apply to spending in critical infrastructure security.
"What we're seeing now is a new land rush of people who have been doing IT security for a long time, trying to move into the critical infrastructure cybersecurity space," he said.
Securing the nation's critical infrastructure is a priority of President Barack Obama, who has issued an executive order requiring government agencies to share cyberattack information with private industry. Congress is also addressing security through pending legislation.Ã'Â
Collaboration between ICS and IT vendors is what's needed to develop the right security technology. In some cases, existing technology can be modified for use in an ICS.
"The IT world has done an awful lot more on networking than we have, but they're not looking at our types of applications and constraints," Weiss said.
Security standards for industrial automation and control systems exist today. An example is ISA99, established by the International Society of Automation.
Matthew Luallen, president of CYBATI, which provides control system cybersecurity education, recommends that vendors thoroughly test their technology in an ICS environment and that buyers make sure the devices within that test bed match what they use.
"If you're an educated customer, you're going to be able to see the differences between a vendor, a consultant and who really has the skills and who doesn't," Luallen said.
Sign up for CIO Asia eNewsletters.