The attached is my keynote for the EnergyTech Conference in Cleveland October 23, 2018.
Cyber security is defined as electronic communications between systems that affect confidentiality, integrity, or availability. Cyber threats do not need to be malicious to cause catastrophic damage. The grid was designed to be resilient to unintentional and expected intentional threats that could result in short term outages. The grid was not designed to be resilient to cyber threats that cause equipment damage. Domestic and international cyber-related outages were of short duration because equipment was not damaged. Consequently, cyber security for the electric grid is important if cyber threats can damage long-lead time critical equipment leading to long-term wide spread outages.
Control systems in commercial, industrial, transportation, medical, and defense infrastructures utilize a combination of commercial-of-the shelf Human-Machine Interfaces (generally Windows) with Internet Protocol (IP) networks, generally Ethernet, along with field devices such as process sensors, actuators, and drives with their field level networks. Cyber security is a top-down approach by identifying malware and network anomalies in the IP networks- network anomaly detection. This is because for IT, the end goal is to assure that data has not been compromised. The IT approach has been expanded to also address control systems by monitoring Operational Technology (OT) control system Ethernet networks. The network monitoring approach is necessary but not sufficient to cyber secure control systems and prevent long term equipment damage. That is because network monitoring can neither cyber secure legacy control system devices that have no cyber security or authentication nor identify which specific control system devices (e.g., pumps, valves, motors, relays, etc.) are vulnerable to network attacks. Consequently, the IT/OT approach cannot support reliability or safety considerations nor cyber secure the system of systems that make up control systems – an intractable problem.
Protecting control systems should be based on the engineering priorities of safety and reliability followed by cyber security if a cyber incident can affect reliability or safety. Legacy process sensors (e.g., pressure, level, flow, temperature, voltage, current, etc.) are mechanical and/or electrical devices that have cyber and non-cyber failure modes but no cyber security or authentication. Examples where sensors contributed to catastrophic failures include the Three Mile Island core melt, the Texas City Refinery explosion, and the Buncefield tank farm explosion in the UK. Large equipment such as generators, motors, pumps, and relays have “do not operate” zones that can cause catastrophic damage. Threats such as the Aurora vulnerability use cyber to cause equipment to operate in “do not operate” zones leading to catastrophic failures with no cyber forensics. The Aurora vulnerability can bring the grid down for 9-18 months by damaging critical equipment.
Monitoring the electrical characteristics of the process sensors in real time is process anomaly detection. Process anomalies can occur for any reason including cyber threats. If the sensors, which are ground truth, do not agree with the network, the network is suspect. Making cyber security an engineering problem can make an intractable network problem tractable, prevent long term equipment damage, improve safety and reliability, and help in identifying impacts from supply chain threats. Sensor monitoring can also help address the cultural abyss that continues to exist between the engineering and security organizations. Control systems cannot be secured without bridging this cultural gap.