Juan Lopez from the Oak Ridge National Laboratory and I gave a presentation June 27th at the 2018 ISA Power Industry Division (POWID) Conference in Knoxville, TN. The presentation was entitled “The Gap in ICS Cyber Security and Safety – Level 0,1 Devices”. The Conference agenda can be found at file:///C:/Users/ACS/Downloads/2018%20POWID%20Onsite%20Program.pdf .
The specific issues that arose from our session included:
- All of the presentations other than ours focused on networks and malware. As this was a cybersecurity session, there were discussions about time between patches (30 days). However, there was no mention of instrument calibration intervals (from my earlier work, sensors can drift even with 30 day calibration intervals) or issues with sensor inaccuracies. As ISA POWID is an Instrumentation & Control conference, the lack of sensor discussions demonstrates the continuing gap between cyber security and operations. The lack of combining sessions that affect both cyber security and reliability/safety continues to foster the culture gap.
- There was a discussion about the lack of correlation between cyber vulnerabilities and plant equipment status. The attendees acknowledged there is no direct correlation between a cyber vulnerability or malware with the operability of pumps, valves, motors, turbines, relays, etc. This is consistent with the ICS-CERT vulnerability disclosures. The severity of the vulnerability is not related to the impact on the actual systems. Consequently, as a control systems engineer, what is the value of the disclosure severity?
- As there is no security in Level 0,1 devices, vulnerability assessments are not relevant for these devices. Consequently, there needs to be appropriate risk assessments. As a result of these discussions, I received a request to participate in the October EPRI Technical Assessment Methodology (TAG) Workshop.
Ironically, my interview on the sensor issues, “Cybersecurity at the Edge” (https://www.isa.org/intech/20180605/) was in the May/June issue of Intech magazine that was available to the conference attendees.