Control System Security and Appropriate Vendor Technology

Ever since my days at EPRI managing various advanced instrumentation and controls programs, I have had vendors call me with products that are “the best thing since sliced bread”.

There is an old saying that if you are a carpenter, everything looks like a nail. Just because control system HMIs are migrating toward Windows and TCP/IP does not mean that control systems are business IT systems. There are significant technical and administrative differences between business IT systems and field instrumentation systems though differences between business IT and SCADA/DCS HMIs are much less. DOE’s and DHS’s focus have been effectively a repackaging of IT security solutions for control systems.

This has been a mixed blessing – bringing more vendors into the control systems field, but also bringing in vendors with little idea of what makes a control system different and little idea of how it is actually used. Consequently, there is the potential for the cure being worse than the disease. 

One example is an article in the recent issue of a power generation magazine discussing unknown connections with control systems. The vendor posits their technology could have detected and/or prevented the anomalies that caused the Hatch Nuclear Plant shutdown.

I called the vendor to discuss their product in the context of control systems. They have significant experience with Windows, TCP/IP, Ethernet, etc. However, when I asked if they had tested their technology on field devices such as PLCs, the answer was no. In this case, scanning a control system network to determine what devices are on the network could cause an event like Hatch or worse, not prevent it.

There is a crying need for security vendors coming out of banking, finance, health care, DOD, etc (and end-users buying into the hype) to better understand the unique environment of legacy control systems and for end users to question the validity of these technologies before implementing them in critical control system applications.

Joe Weiss

Beginning in January, I will be providing a monthly subscription newsletter. Stay tuned for more details.