Control systems ARE different

Control systems are different Control systems control the industrial infrastructure. Control system engineers are system engineers. Consequently they are conversant in control theory, electrical engineering, mechanical engineering, chemistry, physics, computer programming, and for nuclear plants, nuclear engineering. Without this expertise, they cannot adequately assure the control systems can adequately and safely control the process. Cyber security changes the dynamics of instrumentation and control systems engineering. With the advent of modern networking technologies and the blurring of the lines between control systems and business IT systems, there is now a need for a cooperative effort between all organizations that can be affected by, or affect, control systems operation. A good example of the need for cooperation comes from the Applied Control Solutions August Control System Cyber Security Workshop in Knoxville, TN. Mu Security did a demonstration where they identified almost 500 ICMP vulnerabilities. However, without control system domain expertise, it is not possible to know which ones are relevant or, more importantly, critical to control system operation. Another consideration is that currently, more than 75% of electric utility control system communications are point-to-point serial, not IP. These communications often extend directly to the field equipment. In many cases, impacting IP protocols can affect communication between the control center and corporate, but affecting serial communications can affect field equipment. The recent Aurora demonstration where a diesel generator was destroyed by a cyber event was a good example. From a cyber security perspective, legacy field devices are different than business IT systems and even modern control system Human-Machine Interfaces (HMIs). Consequently, applying inappropriate policies, procedures, testing, or technologies can impact control system performance. Most of the control system impacts I have documented, particularly with field devices, have been caused by inappropriate measures, not intentional attacks. Often this comes from the business IT organization attempting to scan control system networks. These and other IT-initiated events have resulted in impacts from slowing or shutting down control system workstations, to shutting down Programmable Logic Controllers (PLCs), to actually destroying hardware in variable frequency drives. Bits and bytes are important- but if you don't know what they mean, they are at best irrelevant. Joe Weiss