Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more.
I did a podcast for Momenta Partners on Control Systems Cybersecurity: A Grim Gap - A Conversation with Joe Weiss - https://hubs.ly/H0gV0z_0. Given the lack of understanding I have a found at RSA this week on Level 0,1 control system field devices, this podcast is timely.
It is important to do a root cause analysis of a “malfunction” whether the incident was malicious (physical or cyber) or unintentional since you may not be able to tell the difference. The root cause team should include representatives from engineering as well as network security.
Hersh Shefrin is the Mario L. Belotti Professor of Finance from the Leavey School of Business at the University of Santa Clara. He wrote an article for Forbes – “Huawei And Facing Up To 5G-Related Cyber Risks” - https://www.forbes.com/sites/hershshefrin/2019/02/21/huawei-and-facing-up-to-5g-related-cyber-risks/#4132692f2672 .
I had conversations with the retired engineering managers from the ONLY TWO utilities that worked with DOD on installing and monitoring of the Aurora hardware mitigation devices. When I told them about the push back from industry on Aurora, they were dumbfounded and depressed.
Getting networking and technical organizations to work together is critical, and one would think should be easy. Unfortunately “doughnut diplomacy” hasn’t worked and the gap between Engineering and IT/OT continues to exist and may even be growing.
It is the physics issues, such as Aurora, that cause long-term damage and require engineering expertise. Consequently, there is a need to have both network cyber security and engineering expertise to properly address ICS cyber security, particularly from physics issues which are existential issues.
Moody’s Investor Services believes all utilities are prized targets for cyber attackers and sophisticated nation state actors may seek to exploit potential cybersecurity vulnerabilities. I think it is reasonable to assume that Moody’s is not comfortable that utilities are cyber secure regardless of the reassurances from industry organizations.
Addressing the field device level requires engineering expertise and is what makes control system cyber security different than IT/OT cyber security. Automation/process/relay engineers, field instrument/relay technicians, etc. are not OT but Engineering whereas OT is the network engineers and network technicians. Consequently, the real culture gap is between Engineering and IT/OT.
There is a common misperception that an OT network monitoring solution from any OT network monitoring vendor can find subtle process sensor issues (e.g., sensor drift when the sensor is still in normal operating range, clogged sensing lines when the sensor is still in operating range, etc.).
During 2018, Operational Technology (OT) cyber security and threat hunting vendors flourished. There also were many control system cyber vulnerabilities, multiple unintentional control system cyber incidents, multiple control system cyber attacks. What is still missing is adequately addressing the control system field devices.