Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more.
One of the most important aspects in addressing ICS cyber security is the concept of “systems of systems”. Unlike IT where you can test a box and label the system secure, ICS cyber security requires testing the overall system.
There have been more than 500 actual control system cyber incidents globally in multiple industries. The International Atomic Energy Agency (IAEA) has tasked me to select 3 of the more than 30 nuclear-plant cyber incidents and identify what really happened, what controls were violated, and what policies and guidelines would...
Joe Weiss named Smart Grid Pioneer. Smart Grid Today named the 50 Smart Grid Pioneers of 2015, including 11 CEOs or presidents, 15 directors, a former state governor and a White House National Security Council staffer. The award is based solely on merit.
April 9th, 2015, the California Public Utilities Commission fined Pacific Gas & Electric (PG&E) $1.6 BILLION for the September 2010 San Bruno natural gas pipeline rupture that killed 8 and destroyed a neighborhood (there are also 28 federal criminal charges and numerous other fines and penalties).
The general discussions on control system cyber incidents focus on the lack of documented incidents. The lack of documented incidents is generally due to lack of appropriate diagnostics and/or lack of appropriate training to identify the incidents as cyber. The following article provides a good discussion about the subject: http://www.csmonitor.com/World/Passcode/2015/0323/How-cyberattacks-can-be-overlooked-in-America-s-most-critical-sectors
March 12, 2015, DHS’s ICS-CERT issued the ICS CERT Monitor report that identified 245 total incidents in 2014. It is not clear how many of the control system incidents actually affected facility reliability and/or safety.
The 2015 (15th) ICS Cyber Security Conference will be held October 26-29 at the Georgia Tech Hotel and Convention Center in Atlanta. As with previous ICS Cyber Security Conferences, the agenda will not be complete until shortly before the conference to accommodate the most current issues and findings. There will be...
The National Association of Insurance Commissioners (NAIC) issued "Principles for Effective Cyber Security Insurance Regulatory Guidance". The NAIC principles effectively focus on data breach. However, data breach is not a significant issue for ICS cyber security. ICS cyber impacts need to be considered.
Based on the Advisen and other meetings I have attended, there is little understanding of control system cyber security by the insurance industry. I believe the insurance industry is very important for improving control system cyber security as they can provide both carrot (lower premiums) and stick (higher premiums or...
The electric utility industry was recently provided lessons learned about a utility incident that resulted in a loss of SCADA/EMS functionality for almost an hour. It was obviously a cyber incident though the notification never mentioned the word “cyber”.