Legacy Control System Cybersecurity/Reliability Test Bed

There has long been a strong desire to find solutions for securing industrial control systems that go beyond "simply" exposing problems and risks. So what is so difficult about finding solutions? The answer is technology, use and compliance. Solutions exist for some parts of the control system (Windows-based workstations, IP-based networks) that have been adopted/adapted from the IT community. The IT systems community has been exposed to vulnerabilities much earlier than ICS, and it makes sense to leverage the large investments made in IT by importing approaches that make sense in a control systems environment. Unfortunately, this leaves a good part of many control systems still exposed: there have been very few solutions for the actual field control systems, the non-Windows, non-IP parts of the loop.

I am currently working with a utility and some of their control system suppliers to secure their legacy control systems for reliability considerations. The team is looking at older systems with "minimal" security that will NOT be replaced for years and newer technology with some degree of security. As the utility is not under the purview of the NERC CIP process, they can address security from an engineering perspective. The utility has an Operational Technology (OT) manager with control systems background. To date, there have been meetings with OT, Operations, and two vendors.

The October ICS Conference (www.icscybersecurityconference.com) will provide a status of the utility/vendor program. This includes a lessons-learned by the utility and vendor teams and a better idea of the scope of the problem.

Joe Weiss