Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more.
I had conversations with the retired engineering managers from the ONLY TWO utilities that worked with DOD on installing and monitoring of the Aurora hardware mitigation devices. When I told them about the push back from industry on Aurora, they were dumbfounded and depressed.
Getting networking and technical organizations to work together is critical, and one would think should be easy. Unfortunately “doughnut diplomacy” hasn’t worked and the gap between Engineering and IT/OT continues to exist and may even be growing.
It is the physics issues, such as Aurora, that cause long-term damage and require engineering expertise. Consequently, there is a need to have both network cyber security and engineering expertise to properly address ICS cyber security, particularly from physics issues which are existential issues.
Moody’s Investor Services believes all utilities are prized targets for cyber attackers and sophisticated nation state actors may seek to exploit potential cybersecurity vulnerabilities. I think it is reasonable to assume that Moody’s is not comfortable that utilities are cyber secure regardless of the reassurances from industry organizations.
Addressing the field device level requires engineering expertise and is what makes control system cyber security different than IT/OT cyber security. Automation/process/relay engineers, field instrument/relay technicians, etc. are not OT but Engineering whereas OT is the network engineers and network technicians. Consequently, the real culture gap is between Engineering and IT/OT.
There is a common misperception that an OT network monitoring solution from any OT network monitoring vendor can find subtle process sensor issues (e.g., sensor drift when the sensor is still in normal operating range, clogged sensing lines when the sensor is still in operating range, etc.).
During 2018, Operational Technology (OT) cyber security and threat hunting vendors flourished. There also were many control system cyber vulnerabilities, multiple unintentional control system cyber incidents, multiple control system cyber attacks. What is still missing is adequately addressing the control system field devices.
I wrote an article for RealComm (corporate real estate organization) on control system cyber security and what it means to commercial buildings. I have provided two actual examples of physical damage to buildings, in this case data centers, from control system cyber incidents.
The 2018 President’s National Infrastructure Advisory Council (NIAC) report “Surviving a Catastrophic Power Outage – How to Strengthen the Capabilities of the Nation”, was issued December 2018. How can we respond and recover from catastrophic power outages when we continue to ignore the devices that can prevent “respond and recover”?...