Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more.
Obtaining control system cyber incident case histories is possible (my database has more than 1,200 actual cases) but it needs to be done with trusted individuals working with industry experts. There is also a need for “whistle blower protection” for individuals and companies that report these incidents.
There is a need to understand the role process sensor play on control system cyber security. OT network monitoring companies have a hole – plug it and everyone wins. Keep fighting and everyone loses. Hopefully, the good guys wake up before the bad guys attack us where there is neither...
It is critically important for the safety and reliability of our infrastructures that credit rating agencies such as Moody’s consider control system cyber security in their risk ratings assessments. For that, there needs to be control system metrics for evaluating technology and people.
There has effectively been an exclusion of domain experts (in industry and manufacturing – the engineers/Operations; and in finance - the economists) in control system cyber security. This exclusion of domain experts has also led to the exclusion of control system devices from adequate cyber security considerations.
October 23rd, I will be giving the keynote on changing the paradigm of control system cyber security at EnergyTech in Cleveland. I will be speaking immediately after Moody’s Investor Services talks about cyber security and enterprise risk.
The report, “A Review of Cybersecurity Incidents in the Water Sector”, was published in the September 2019 issue of the Journal of Environmental Engineering. There are many technical gaps in the report. My concerns with these water cases are similar to gaps in other industries such as electric, oil/gas, and manufacturing.
Waterfall Security has released the podcast on my interview – “Three Networks – OT, OT, and Engineering” Podcast Episode #20. There have been many discussions about the IT/OT convergence but little about the need also to have engineering involved.
It is unacceptable to take almost 4 years to recognize there are engineering issues associated with a cyber attack intended to damage equipment. It is even more unacceptable that after almost 4 years, OT still doesn’t get it right.