Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more.
The Control Engineering 2015 Cyber Security Survey doesn’t seem to identify ICS cyber security impacts. The focus was on IT and networking devices with no mention of ICS field devices. A significant number of respondents experienced “cyber incidents” with their ICS networks – not devices.
For control systems, the CIA triad needs to add an additional term -“S” for safety. This is a real issue as there have been more than 50 actual control system cyber incidents that have injured or killed people.
My database now has more than 725 actual control system cyber incidents. VERY few were identified as cyber. There have been more than a 1000 deaths, major equipment damage, significant environmental releases, and even bankruptcies yet the C-suite too often is missing.
I have been able to identify more than 600 ACTUAL control system cyber incidents (I keep finding more) though most of the incidents were never identified with the word “cyber”. A very conservative estimate of the direct costs of control system cyber incidents to date is more than $15 Billion.
The Lloyd’s report on cyber implications of the electric grid serves a very important need to understand the insurance implications of a cyber attack against the electric grid. Unfortunately, the technical aspects of the hypothesized attack in the Lloyd’s study are too flawed to be used.
The computer security industry has long had a philosophical debate on how to define a cyber threat. For many, the use of the term Threat is reserved for hostile actors. But cybersecurity professionals and enterprise CTO’s, CIO’s and business executives must lead in ways that keep the IT (and ICS)...
Richard Steinnon’s book “There Will Be Cyberwar” focused on IT issues. Control system discussions were discussed only in context of non-military applications. Richard, and many others, were not aware the US DOD is a large user of industrial control systems. There is a real need to educate IT cyber security...
Tripwire performed a critical infrastructure survey asking how long it would take to detect a breach. According to the survey, 86% of energy security professionals believe they can detect a breach in less than a week and 61% believe they can detect a critical system breach in less than 24 hours.
The May 2015 issue of Chemical Engineering had an article “Managing Large Chemical Plant Start-ups”. The banner states: “prudent planning and scheduling during a project’s front end can lead to more expedient commissioning and start-up activities”.
This blog was originally requested from several oil/gas entities because of the lack of appropriate risk assessment methodology for field sensors and controllers (Level 1 devices). The lack of focus on the Level 1 devices has been a constant with most critical infrastructure protection articles, conferences, and personal discussions regardless...