Robert M. Lee is an expert on a topic few people have heard of and even fewer understand: supervisory control and data acquisition (SCADA). It refers to systems that control nuclear power plants, satellites, water filtration systems, the power grid, that sort of thing.
Yet it is so complicated that even the people who run these systems don’t always fully comprehend them. So Lee decided to help us all out by writing an illustrated, easy-to-read children’s book, “SCADA and Me: A Book for Children and Management.”
Illustrated by Jeff Haas and published by IT Harvest Press, ”SCADA and Me” tells the story of Little Bobby, who has been asked to protect SCADA but doesn’t know what it is, and his friend Matt, who gives him a guided tour of systems that use SCADA. It is by turns informative and sarcastic, and actually easy to understand.
It started when “I briefed a team that should have known better,” Lee told Quartz on the phone from Germany, where he is based. “They came to me [afterwards] and said let us know when you have a non-technical version because we didn’t understand.” Lee’s talk was the non-technical version. He returned home dispirited and wrote the book as a way of venting his frustration. It was, he admits, “a bit immature of myself.”
The problem with the industry is that a lot of effort is focused on warding off big, attention-grabbing attacks, says Lee, whose day job is as a cyberspace operations officer with the US Air Force. Yet it’s rare for a state to launch an attack such as Stuxnet, a computer worm that damaged an Iranian nuclear facility and is widely thought to have been an been the work of Israel and America.
Meanwhile, basic security measures are not in place. Instead of thinking about low-probability events, industrial controllers should be considering relatively mundane things, such as hackers attacking their databases. Such attacks are relatively simple, but so is defending against them. But “a lot of people who go on about cyber[war] just want job security and big contracts,” Lee says.
“The advantage that defenders should always have over attackers is that they should know their networks better than attackers. That is by and large not true. People do not know what’s on their networks,” Lee says.
The book has been well-received. The president of Estonia, for one, made his staff read it. Computer security professionals have also been moved to buy it. And despite worries that SCADA managers might feel insulted, Lee says they have responded well.