The 2019 EnergyTech Conference and Information Security Summit were held concurrently October 22-25, 2019 in Cleveland - https://www.energytech.org. EnergyTech was co-sponsored by INCOSE (the International Conference on Systems Engineering). Conference participants included NASA, automotive, medical, building controls, energy, and others. A highlight of the conference was the participation of Apollo 17 Lunar Module Pilot Harrison Schmitt– one of the last astronauts to walk on the moon. I encourage people to read Harrison’s bio – PhD geologist, astronaut, US senator.
Apollo 17 was launched in December 1972. As part of his keynote, Harrison described the launch process for Apollo 17. There was a delay in the launch of Apollo 17 caused by a control system cyber incident. With 30 seconds left before launch, the launch computer had no indication of tank pressurization. An engineer had pressurized the tank but because the computer did not issue the command, the computer was unaware the tank had been pressurized. It took more than 2 hours for launch management to accept the fact that the tank was pressurized and allow for launch. Think of the cyber implications when a computer only can detect what it initiates. This type of cyber incident can, and has occurred, both unintentionally and maliciously.
There has effectively been an exclusion of domain experts (in industry and manufacturing – the engineers/Operations; and in finance - the economists). This exclusion of domain experts has led to the exclusion of control system devices from adequate cyber security considerations. The exclusion of domain experts is very different than the discussion of IT/OT convergence as neither IT nor OT are the domain experts. This is why my focus has been the need to include control system/Operations in cyber securing control systems through the entire life cycle. Therefore, my keynote presentation was on changing the paradigm of control system cyber security. Currently, the paradigm to secure control systems is to monitor and secure the control system networks (Operational Technology - OT). This is network anomaly detection (information assurance) and assumes that securing the network equals securing the control systems. This assumption is not true. Securing OT networks is necessary but not sufficient to secure control systems. OT network monitoring assumes the incoming process sensor packets are secure, authenticated, and correct which is not correct, certainly with legacy devices. I do not believe OT network monitoring is tractable as control systems are “systems of systems” with multiple vendors, protocols, etc. much of which are incapable of being secured. Consequently, securing control systems also requires monitoring the raw process sensor signals (e.g., pressure, level, flow, temperature, voltage, current, etc.) in real time for sensor health and process anomaly detection (mission assurance). Monitoring the process sensors will identify process anomalies including cyber attacks, sensor drift, etc. If there are no process sensor anomalies, there are no control system cyber, supply chain, or process issues affecting real time operation. This approach can also help justify continued operations when networks and HMIs get hit by ransomware, zero days, etc. An added benefit of monitoring the process sensors is that it requires engineering (domain experts) participation which has been lacking. There was a strong affirmation from the conference attendees that the lack of domain expertise continues to be an issue in securing control systems.
My conference interview can be found at https://twitter.com/InfoSecurSummit/status/1187021568108482562?s=19. A link to my keynote presentation will be coming later.
It has been evident that control system cyber security has been a stepchild to IT security. Moody’s Investor Services gave a very important presentation – “The Financial and Credit Implications of Cyber Risk”. The Moody’s presentation focused on cyber impacts (enterprise risk) which for a manufacturing or industrial company is most affected by control systems not IT. Because of Moody’s ability to reach the Boardroom, their interest can be a game changer. As this presentation is so important, I will have a separate blog on it.
There were three different industries that discussed unresolved control system cyber security issues. All agreed with my concerns.
- An attendee from the building controls industry expressed concern there are more than 2 million buildings with ongoing control system cyber security issues.
- An attendee from the automotive industry stated that the “fail safe” safety systems in manufacturing systems are dependent on the validity of the process sensor inputs.
- A representative from the medical industry expressed concern they have more than 30,000 infusion pumps that are that are directly connected to the Internet with no cyber security or ability to directly secure them. This is a major hole that needs to be addressed.
- I mentioned the almost simultaneous “failures” of two fertility clinics’ (one in Cleveland and the other in San Francisco) embryo freezers each of which would be considered a very rare (Black Swan) event.
The disconnect between domain experts and networking is very much alive and needs to be addressed.