Experts agree that much can be done to improve control systems security, but those who want to do so must create compelling business cases that convince senior management and infrastructure owners that the investment is worthwhile, said Michael Torppey, technical manager of the Process Control Systems Forum, an industry group that focuses on control systems security. The federal government should provide regulations and incentives for information security companies to offer better products, said Jason Larson, senior cybersecurity researcher at Idaho National Laboratory, which leads federal efforts on critical infrastructure. His colleague Robert Hoffman, cybersecurity research manager at the lab, said infrastructure owners should find the most evident vulnerabilities first, prioritize them and implement enough security to reach a minimum acceptable level of risk.