Cyber security of control systems is not well understood even by the FBI

I have had numerous discussions with FBI representatives in different geographic regions on control system cyber security. This includes having the FBI present at the 2008 ICS Cyber Security Conference and participating with FBI representatives at various cyber security conferences. Thursday, August 16th, the AP had a story about the cyber security of river traffic and other industrial operations around New Orleans – https://apnews.com/53378e69e9294c699cb5e520badb5848. As I was speaking later Thursday to an Infragard meeting, I spoke to the agent who supervises the FBI's New Orleans cyber squad. He has a control system background. However, issues such as lack of security of process sensors, actuators, and drives were new. As mentioned, later Thursday I gave a presentation to the San Francisco Bay Area Infragard Chapter at SRI in Menlo Park. My presentation was “EMP and Cyber Threats to Long-term Grid Reliability”. The focus was on cyber and the cyber focus was on physics issues such as Aurora that cannot be found from network monitoring and the lack of cyber security in sensors, actuators, and drives. As in almost all presentations on these subjects, this was new to many of the attendees including the FBI. What I thought was disturbing, but not new, was who wasn’t there for a presentation on grid reliability – PG&E.

Joe Weiss