662a6969b58806001d01ecb6 Guardians Of Critical Infrastructure Where Are The

Guardians of critical infrastructure: Where are the control systems?

April 25, 2024
Infragard will be holding a session “Cyber Defenders: Guardians of Critical Infrastructure”, but there are critical issues with seminar’s agenda

Critical infrastructures include electric power, water/wastewater, manufacturing, transportation, chemicals, food, beverage, agriculture, defense industrial base, etc. These sectors require control systems to work and can be substantially impacted if they don’t work as designed.

Tuesday, May 7, 2024, Infragard will be holding an all-day session “Cyber Defenders: Guardians of Critical Infrastructure” at the RSA Conference in San Francisco. The Infragard description states:

“As declared by Executive Order 14028, the United States and U.S. businesses face persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately, the American people’s security and privacy. This one-day seminar will arm cybersecurity professionals and non-technical executives alike with the knowledge, tools and resources to become cyber defenders and protect our nation’s most critical assets. Attendees will: gain an understanding of today’s cyber threat actors with briefings from the FBI Cyber and Counterintelligence Divisions; explore the new landscape of emerging cyber laws and regulations; learn how to incorporate reasonable security into a defensible cyber program; understand the key risks associated with credential management, vendor and supply chain risk management, and vulnerability and patch management; learn how threat actors gain access to networks; hear case studies of cyber-attacks on U.S. critical infrastructure; participate in how-to sessions on building a modern incident response program; and participate as the jury in an innovative mock trial that places a CISO on the stand following a data breach.”

Issues with the seminar agenda for critical infrastructure control systems:

  • Executive Order 14028 is good as far as it goes, but it does not fully address the unique issues associated with control systems. The terms SCADA, industrial control systems and cyber-physical systems were not used, and IoT was only addressed for consumer applications. 
  • Privacy is not a primary concern for control systems, but availability and safety are.
  • Control system field devices such as process sensors and actuators typically have no security credentials. In fact, they have no cyber security, authentication, cyber forensics or appropriate training. 
  • IT patch management, in the usual sense, is not relevant to control systems and control system field devices for numerous technical and operational reasons. 
  • Control systems incidents are rarely identified as being cyber-related. Consequently, cyber incident response programs are not initiated. 

Considering FBI Director Wray has been stating his concerns about the Chinese attacking our critical infrastructures, will the case studies of cyber-attacks on U.S. critical infrastructure address control system cyberattacks? These include Iranian and Russian cyberattacks on water/wastewater and food and beverage control systems causing physical impacts, Chinese hardware backdoors in large electric transformers to compromise the electric grid, and what may have happened to the Dali container ship in Baltimore that hit the Key Bridge.

These are not data breaches, but control system cyberattacks to cause harm. Unfortunately, control system cyber security is not the principal expertise of the FBI or the identified speakers. Perhaps they could expand their set of experts?

Since you can’t protect critical infrastructures when you don’t address the control systems, what are the cyber defenders guarding (beyond the data)?

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.