“If one industry is vulnerable, they all could be,” said Joseph, M. Weiss, PE, CISM, managing partner at Applied Control Solutions and a Controlglobal.com blogger, in his testimoney before the House Committee on Homeland Security, October 17th.
Weiss, author of the “Unfettered” blog on ControlGlobal.com, hammered the North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC), calling NERC’s attitude toward cybersecurity “alarming at best and negligent at worst.” He also recommended that ISA be given responsibility for developing cybersecurity standards by the Federal Government.
“The issue at hand,” Weiss went on, “is the protection of the interdependent critical infrastructures of electric power, water, oil/gas, etc. Control systems form the backbone of these infrastructures and the threat of a cyber attack is the central issue.”
Cyber security expert Joe Weiss of Applied Control Solutions.
Weiss put the matter bluntly. “There are only a handful of control system suppliers and they supply industrial applications worldwide. The control systems, architectures and default passwords are common to each vendor. Consequently, if one industry is vulnerable, they all could be.”
He continued, “I am a nuclear engineer who has been involved in control systems for over 35 years and control system cyber security for over seven years. I have been a part of the NERC cyber security standards process since its inception. I have been working with government organizations, end users, equipment suppliers, domestic and international standards organizations, and others to develop standards and solutions. I am also a utility shareholder and ratepayer, both of which can be affected by this subject.”
Weiss pointed to the basic difficulty of cyber security related to control systems: “Most people now becoming involved with control system cyber security typically come from a mainstream IT background and not that of control systems. This has, in some cases, inadvertently resulted in making control systems less reliable without providing increased security.”
Control systems vulnerability is clear, he said. “I am aware of more than 90 cases where control systems have been impacted by intentional and unintentional cyber incidents. These incidents have occurred in electric power transmission and distribution systems, power generation including fossil, hydro, gas turbine, and nuclear, water, oil/gas, chemicals, paper and agri-business. Damage from cyber incidents has ranged from trivial to significant environmental releases, to significant equipment damage to even deaths.”
At least some members of the committee appear to be listening to Weiss and others.
“I’ll be blunt—if this administration doesn’t recognize and prioritize these problems soon, the future isn’t going to be pretty,” said Rep. Jim Langevin (D-R.I.), chairman of the House of Representatives cybersecurity panel.
For the complete text of Weiss’ testimony, go to www.controlglobal.com/industrynews/2007/168.html.