Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more.
It is the physics issues, such as Aurora, that cause long-term damage and require engineering expertise. Consequently, there is a need to have both network cyber security and engineering expertise to properly address ICS cyber security, particularly from physics issues which are existential issues.
Moody’s Investor Services believes all utilities are prized targets for cyber attackers and sophisticated nation state actors may seek to exploit potential cybersecurity vulnerabilities. I think it is reasonable to assume that Moody’s is not comfortable that utilities are cyber secure regardless of the reassurances from industry organizations.
Addressing the field device level requires engineering expertise and is what makes control system cyber security different than IT/OT cyber security. Automation/process/relay engineers, field instrument/relay technicians, etc. are not OT but Engineering whereas OT is the network engineers and network technicians. Consequently, the real culture gap is between Engineering and IT/OT.
There is a common misperception that an OT network monitoring solution from any OT network monitoring vendor can find subtle process sensor issues (e.g., sensor drift when the sensor is still in normal operating range, clogged sensing lines when the sensor is still in operating range, etc.).
During 2018, Operational Technology (OT) cyber security and threat hunting vendors flourished. There also were many control system cyber vulnerabilities, multiple unintentional control system cyber incidents, multiple control system cyber attacks. What is still missing is adequately addressing the control system field devices.
I wrote an article for RealComm (corporate real estate organization) on control system cyber security and what it means to commercial buildings. I have provided two actual examples of physical damage to buildings, in this case data centers, from control system cyber incidents.
The 2018 President’s National Infrastructure Advisory Council (NIAC) report “Surviving a Catastrophic Power Outage – How to Strengthen the Capabilities of the Nation”, was issued December 2018. How can we respond and recover from catastrophic power outages when we continue to ignore the devices that can prevent “respond and recover”?...
One of the last of the executive nuclear power pioneers that led the transition from navy nuclear plants to commercial nuclear power passed away. He also was aware that cyber security needed to be addressed.