Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more.
The 15th ICS Cyber Security Conference showed that ICS cyber security is still a mixed bag. There were many attendees that actually understood ICS cyber security – progress! However, there were still many attendees that did not understand the specific ICS cyber security issues.
Marina Krotofil's presentation on hacking a chemical plant focused on the vulnerabilities of the process and control design. One of Marina's slides was about compromising operator displays by addressing sensor signal processing filters. An intentional change in the signal processing filter resulted in a nuclear plant operating in an unsafe...
The PG&E San Bruno natural gas pipeline rupture and the Volkswagen emissions scandal were ICS cyber incidents that put the respective corporations at risk and led to the resignation of the respective CEOs.
Not every ICS cyber vulnerability is critical. ICS cyber security should focus on what can affect ICS or system operation so the end-user can prioritize what threats are important to system reliability and safety.
The 2015 ICS Cyber Security Conference will be October 26-29 at the Georgia Tech Hotel and Conference Center in Atlanta (www.icscybersecurityconference.com ). This will be the 15th in a series that began in 2002. Because the Conference focuses on timely ICS cyber security issues, the agenda is now being finalized.
The Control Engineering 2015 Cyber Security Survey doesn’t seem to identify ICS cyber security impacts. The focus was on IT and networking devices with no mention of ICS field devices. A significant number of respondents experienced “cyber incidents” with their ICS networks – not devices.
For control systems, the CIA triad needs to add an additional term -“S” for safety. This is a real issue as there have been more than 50 actual control system cyber incidents that have injured or killed people.
My database now has more than 725 actual control system cyber incidents. VERY few were identified as cyber. There have been more than a 1000 deaths, major equipment damage, significant environmental releases, and even bankruptcies yet the C-suite too often is missing.