Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more.
The agenda has been released for the Atlantic Council’s 8th Annual International Conference on Cyber Engagement April 23rd at the George Washington University Lisner Auditorium - https://www.atlanticcouncil.org/icce. I will be on a panel session “IoT & Operational Technology Cyber Implications”.
We need to rethink how we secure control systems in a holistic manner as control system cyber attacks have become more stealthy and dangerous - and less detectable. This includes appropriate control system cyber security policies, procedures, training, and technologies as some do not yet exist.
Sophisticated cyber attacks can be misidentified as malfunctions. This brings up the need for out-of-band sensor monitoring as an independent view of the process conditions from the potentially compromised IP networks. The current focus on IT/OT convergence rather than reaching out to engineering will continue to lead to “blind spots”...
Cyber Command is recruiting U.S. energy companies as partners in developing and a new strategy. However, the utility personnel Cyber Command wants are the engineers that know how to operate power plants and substations. However, they generally have no cyber security training or responsibility.
It may not be possible to discriminate between cyber attacks, equipment malfunctions, or cyber attacks meant to look like equipment malfunctions. Consequently, the need to train the engineers and to monitor the sensors is becoming more critical as some of the most critical information to discriminate between these types of...
I did a podcast for Momenta Partners on Control Systems Cybersecurity: A Grim Gap - A Conversation with Joe Weiss - https://hubs.ly/H0gV0z_0. Given the lack of understanding I have a found at RSA this week on Level 0,1 control system field devices, this podcast is timely.
It is important to do a root cause analysis of a “malfunction” whether the incident was malicious (physical or cyber) or unintentional since you may not be able to tell the difference. The root cause team should include representatives from engineering as well as network security.
Hersh Shefrin is the Mario L. Belotti Professor of Finance from the Leavey School of Business at the University of Santa Clara. He wrote an article for Forbes – “Huawei And Facing Up To 5G-Related Cyber Risks” - https://www.forbes.com/sites/hershshefrin/2019/02/21/huawei-and-facing-up-to-5g-related-cyber-risks/#4132692f2672 .
I had conversations with the retired engineering managers from the ONLY TWO utilities that worked with DOD on installing and monitoring of the Aurora hardware mitigation devices. When I told them about the push back from industry on Aurora, they were dumbfounded and depressed.
Getting networking and technical organizations to work together is critical, and one would think should be easy. Unfortunately “doughnut diplomacy” hasn’t worked and the gap between Engineering and IT/OT continues to exist and may even be growing.