I heard some surprising and insightful conversation from a pair of young schoolchildren the other day.

Joedamadman: Thomas School Bus

They were chatting about riding the bus to school. One of them said, “I don’t understand why the bus driver is the only one who gets a seat belt.”

“Yeah”, came the response, “and he’s the oldest one!”

Although they couldn’t tell you so, these two students were already grasping some important concepts about safety, security and risk.

1. They honed in on the purpose of the school bus — to get *the students* to school safely (rather than the driver).
2. They did a comparison of useful remaining life — reasoning that it makes more sense to worry about the children, because they have longer to live than the bus driver.

Those same thoughts have a nice analogy to ICS security.

1. Whether your business is generating electricity or making cookies, your most important computing assets are those controlling the industrial process — it’s the production network that is making you money! You should not ignore its safety and security while only investing in protection for the “enterprise side”.
2. Withe a limited budget you’re going to have to choose where to dedicate the most resources. There may be significant challenges with securing older plants. If you are going to build a new facility it is your chance to invest in a lifetime of a more-secure, more-safe control system. Focus your security efforts and budget where they will serve you the longest.