Control system cyber security conferences are actually impacting control system cyber security

I started the first Industrial Control Systems (ICS) Cyber Security Conference in 2002. I was asked to do this by a number of representatives of the utility industry as there were no cyber security conferences for control system engineers that focused on control systems and control system impacts – all of the others were IT (we have come full circle which is the purpose of this blog).

ICS cyber security conferences including SANS, S4, Kaspersky, ICSJWG (and its predecessor), API Cyber Security Conference, etc. had and still have a focus on IT/Operational Technology (OT) networks. The hope was when I sold the ICS Cyber Security Conference to SecurityWeek in 2014, it would have maintained its roots of focusing on control system engineering issues while opening up to the IT/OT community, but it did not. OT network cyber security and OT network cyber security conferences are important but still leave a gaping hole - the control system devices. There is a need for dedicated control system cyber security conferences whose focus is on the control/safety system engineers. This is particularly important after the June 2017 Triton plant shutdown, an incident where OT and Engineering apparently did not talk.

What drives this blog post was an epiphany I had walking through vendor displays at security and engineering conferences. The ICS cyber security conferences have done a good job of getting OT security vendors to display their wares, generally software. The “ICS Village” demonstrations focused on the Programmable Logic Controllers (PLCs) and HMIs (operator displays) while minimizing process sensors and actuators. But, I was struck by what I wasn’t seeing at ICS cyber security conferences: the control system vendors displaying their hardware – pumps, valves, sensors, etc. When I attended the Texas A&M Instrumentation & Automation Symposium in 2018 and 2019 and the 2018 ISA Water/Wastewater Conference, the control system vendors were displaying their sensor, actuator, and controller hardware, and there might have been one or two OT cyber security vendors. When I asked the control system vendors about cyber security of their process sensors, their response was that no one had asked them about cyber security of sensors, actuators, or drives. This vendor gap reinforces the very bright line that still exists between the networking (IT/ OT) organizations and the engineering organizations. As the June Triton event should have taught us, it is not possible to be secure without the IT/OT and Engineering organizations working together – and they are still not doing so.

I attended the April 24-25, 2019 Spring ICSJWG Conference in Kansas City (I flew in from Washington after attending the Atlantic Council’s International Conference on Cyber Engagement - see https://www.controlglobal.com/blogs/unfettered/atlantic-council-8th-annual-international-conference-on-cyber-engagement-observations). I gave the presentation: “Changing the Paradigm of Control System Cybersecurity – Culture and Technology”. There were many good presentations and demonstrations of OT network cyber security technologies. My presentation was the only one addressing the Purdue Reference Model Level 0,1 devices that have no security. If you can’t trust your measurement, you cannot be secure, reliable, or safe. Yet few people actually understood the entire control system loop from field devices and field device networks to controllers to OT networks to the HMIs. There were many of the “usual” OT cyber security presenters and security companies exhibiting. Additionally, there were many “newbies”. As there is no barrier to entry, these infrastructure cyber security conferences are giving legitimacy to OT vendors who don’t understand control systems. Consequently, their products can, and have, actually done harm to control systems and/or people. What is more disconcerting is the low percentage of control/safety engineers attending ICS cyber security conferences including ICSJWG, the S4 Conference in Miami in January, the SecurityWeek Conference I last attended in 2017, and the other OT security conferences. The converse could be said about lack of OT security personnel at engineering conferences/sessions.

As I stated at the Atlantic Conference in Washington DC, “Securing the networks are necessary but not sufficient to secure control systems. That is, the grid can work without the Internet, but the Internet cannot work without power.” Consequently, control system cyber security should be about keeping lights on, not just networks up. The Ukraine manually ran their grids for months as they could not trust their networks following the cyber attacks. Norsk Hydro ran their systems in manual following the ransomware attacks. Despite these actual cases, the ICS cyber security conferences continue to propagate the misconception that securing the OT networks leads to control system cyber security and safety. However, OT generally is neither the control/safety system hardware nor the control/safety engineers/technicians.

The real gap is not the IT/OT divide but packets versus process. That is, the focus on keeping the lights on (process), not just keeping the networks (packets) operating. Unfortunately, the networking community and the process/safety engineers are still not talking. This continuing gap between Engineering and networking is why I have been asked by the National Academy of Engineering to write an article on the cultural and technical issues associated with control system cyber security.

Joe Weiss