Control's Joe Weiss testifies before Congress

"If one industry is vulnerable, they all could be," Weiss says. In direct, honest and riveting testimony before the House Committee on Homeland Security, Control's "other blogger" Joe Weiss yesterday hammered NERC, FERC and called NERC's attitude toward cybersecurity "alarming at best and negligent at worst," while he recommended that ISA be given responsibility for developing cybersecurity standards by the Federal Government. "I am a nuclear engineer," Weiss said, "who has been involved in control systems for over 35 years and control system cyber security for over 7 years. I have been a part of the NERC cyber security standards process since its inception. I have been working with government organizations, end-users, equipment suppliers, domestic and international standards organizations, and others to develop standards and solutions." He went on to personalize his testimony, saying,  "I am also a utility shareholder and ratepayer, both of which can be affected by this subject." "The issue at hand, Weiss went on, "is the protection of the interdependent critical infrastructures of electric power, water, oil/gas, etc. Control systems form the backbone of these infrastructures and the threat of a cyber attack is the central issue." He put the matter bluntly.  "There are only a handful of control system suppliers and they supply industrial applications worldwide," said Weiss. "The control systems, architectures and default passwords are common to each vendor. Consequently, if one industry is vulnerable, they all could be." Weiss went on, "I am aware of more than 90 cases where control systems have been impacted by intentional and unintentional cyber incidents. These incidents have occurred in electric power transmission and distribution systems, power generation including fossil, hydro, gas turbine, and nuclear, water, oil/gas, chemicals, paper, and agri-business. Damage from cyber incidents have ranged from trivial to significant environmental releases, to significant equipment damage to even deaths." Weiss' official testimony is posted on

What are your comments?

You cannot post comments until you have logged in. Login Here.


  • In discussions with several colleagues in various adjacent water utilities, I've noticed that everyone says "we're a small time operation, we're isolated, so why bother?"

    The answer is that while you may indeed be isolated TODAY, how long do you think you can stay that way? And if security is such a burden, then you'd better think about how you're going to get started securing things NOW. This is not something you can do overnight. This is as much a cultural issue, and you'll have a lot of convincing and training to happen before most of this will be accepted.

    Another disturbing trend: Increasingly, we're discovering that control system vendors are starting to request access via modem or in one VERY brazen case, a DSL line to the internet. They wanted access 24/7 with no prior notice to the operators. We told the vendor they ought to bury that stupid idea right now (the actual words we may have used were probably not fit to print).

    We need a set of standards we can point to and say, "here there be dragons." Sadly, I don't think the NERC CIP proposal in front of FERC does that.

    Oh and by the way, if anyone is wondering why a water utility cares about this, it's because once the standard has been set and used, we tend to borrow from it. Warts and all. And there are a lot of warts on this standard.


  • Coming from a background in IT security and being new to the world of industrial automation, I find the current state of security for critical infrastructure appalling. The small number of control system vendors seem to recognize the clients need for security, and do sell products they claim to be secure, however I'm yet to see an independent vulnerability assessment of the applications and architectures. Security through obscurity, which has proven time and time again to be fundamentally flawed, is generally the front line of defense and more often than not the sole means of defense. I have inadvertently run across a disturbing number of exploits in the past year that I have been working with control systems software suites, indicating a severe lack of understanding on part of the developer. There is no excuse for plain text connection strings on client side scripting in the source of reporting websites designed to run on the internet, or glaringly obvious remote includes and SQL injection vulnerabilities. Replay attacks in particular seem to be effective against all systems I have encountered. It's not even worth counting the number of buffer overflows I've seen.

    Security awareness and understanding is an issue that has been prevalent in the IT field for quite some time, and as industrial automation and IT become closer, it inherits this issue. It is important to understand the security awareness and understanding is not only the responsibility of the consumer, but of the developer as well. The standards being proposed are of great importance, unfortunately there are some area's it fails to address.

    In response to ab3a's comment on a disturbing trend of vendors requiring access via modem, I have run into this issue as well. One particular vendor was very insistent on installing an open connection to the internet on the control systems network, their argument for security, which they stuck to regardless of the flaws I pointed out, was that they would run Norton Internet Security and that since one NIC card connected to the SCADA system, and a separate NIC card connected to the internet that it was impossible to gain access to the SCADA network. This was marketed as a secure solution. This is a perfect demonstration of how vendors are capitalizing on the need for security, but simply do not understand it.


RSS feed for comments on this page | RSS feed for all comments