Interested in linking to "Protecting Our Cyber Infrastructure "?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
There’s evidence of more than 100 cyber incidents, whether intentional, malicious or accidental, in co-author Joe Weiss’ Real-Time ACS database. These include the 2003 Northeast power outage and the 2008 Florida power outage. Neither incident has been described as a cyber event by the power companies and transmission companies involved. In fact, these companies continue to state that they have very few critical cyber assets with most stating they have no power plants that are critical.
So what do we know, and what do we do about it? Industrial control systems (ICS) are an integral part of the industrial infrastructure supporting the nation’s livelihood and economy. They aren’t going away, and starting over from scratch to secure them isn’t an option. ICSs are “systems of systems,” and need to be operated in a safe, efficient and secure manner.
The sometimes-competing goals of reliability and security are not just a North American issue, but truly a global one. A number of North American control system suppliers have development activities in countries with dubious credentials. A large North American control system supplier has a major code-writing office in China, and a European RTU manufacturer has code written in Iran.
While sharing basic constructs with enterprise IT business systems, ICSs are very different systems. Vulnerability disclosure philosophies are different, and applying the wrong one can have devastating consequences.
A major concern is the dearth of a workforce educated to cope with the problem. There are probably less than 100 living control system cybersecurity experts and currently no university curricula or ICS cybersecurity personnel certifications. Efforts to secure these critical systems are too diffuse, and do not specifically target the unique ICS aspects. The lack of ICS security expertise extends into the government arena, which has focused on repackaging IT solutions.
However, the convergence of mainstream IT and ICS systems requires that both mainstream and control system experts acknowledge the operating differences and accept the similarities. ICS cybersecurity is where mainstream IT security was 15 years ago—in the formative stage and needing support to leapfrog the previous IT learning curve. Regulation, regulatory incentives and industry self-interest are necessary to create an atmosphere for adequately securing critical infrastructures.
What can you and your company do to protect yourselves? The following recommendations, taken from a report to the bipartisan commission producing position papers for the incoming U.S. administration, provide steps to improve security and reliability of critical systems, and most are adoptable by any process industry business unit:
Walt Boyes is Control’s Editor in Chief. Joe Weiss is president of Applied Control Solutions and author of ControlGlobal’s“Unfettered” blog.
ControlGlobal.com is exclusively dedicated to the global process automation market. We report on developing industry trends, illustrate successful industry applications, and update the basic skills and knowledge base that provide the profession's foundation.