Until 2000, my job was engineering agile and usable control systems. That meant vulnerable control systems,” said Joe Weiss, principal of Applied Control Solutions and founder of the Real-Time Cyber Security Conference. “Security and performance are generally in conflict. By the time you get done putting in all the security as afterthoughts,” Weiss went on, “what you have is not a control system, it’s a doorstop!”
People who come to process control cybersecurity from the IT domain sometimes have a distorted view of what’s necessary and what’s practical. “It’s okay to shut down the mail server for four hours for maintenance,” he said, “but what happens when you shut down the plant?”
On June 10, 1999, a 16-in. diameter steel pipeline operated by the now-defunct Olympic Pipeline Co. ruptured near Bellingham, Wash., flooding two local creeks with 237,000 gallons of gasoline. The gas ignited into a mile-and-a-half river of fire that claimed the lives of two 10-year-old boys and an 18-year-old man, and injured eight others.
"These are the first fatalities from a control-system cyber event that I can document, and for a fact say that this really occurred," Weiss said. He went on to describe the event in detail and then noted that this doesn’t just happen in the pipeline industry.
"I've logged over 90 incidents in all industries worldwide," Weiss said. "The damage ranges from significant equipment failure to deaths."
He went on to describe the broadcast storm accident that shut down the reactor coolant pumps at the Browns Ferry Nuclear plant—which, in turn, caused the operator to perform an emergency scram (shutdown) of the reactor.
“And it is going to get worse,” Weiss said. “The vulnerabilities are starting to move downward into the control systems and field devices. If you break Microsoft, you get a bump. If you want to go boom in the night, you go to the field devices.”
“The major difference between what happened at Browns Ferry and what has happened at your plant,” Weiss went on, “is that the NRC insists on investigating and making public reports on incidents like this—and your managements don’t.”
“Chances are,” Weiss continued, “you’ve had the same stuff happen to you—the system burped—and you don’t know why. It might be that you just had a cyber event.”
Weiss said there’s a misunderstanding about what a cyber event is. He defined a cyber incident as any occurrence that affects the confidentially, integrity or availability of the data or processes in a plant. “It isn’t about terrorists, although just because they haven’t managed to shut down a plant or blow one up, it doesn’t mean they won’t or can’t.”
“One of the problems in discovering the Olympic Pipeline event,” Weiss noted, “is the fact that we don’t have any logging for cyber. There are significant chunks of data missing for the time period immediately before the incident. We may never know exactly what the operator did, but NTSB (the National Transportation Safety Board) is willing to state for the record that it was cyber.”
What should users do about this?
One of the best things you can do, Weiss said, is to get involved with ISA’s SP99, the developing cybersecurity-in-process-automation standard. “We need the input of more users. And it’s not the second coming of Y2K,” Weiss added. “This is real. It is happening, and it is happening to you.”