Wednesday, April 20, 2016 I gave a presentation to a Chief Information Officer (CIO) forum representing the manufacturing supply chain for the micro- and nano-electronics industries. There were a number of interesting observations:
- The FBI gave a presentation the day before. One of the CIOs complained the FBI did not have the requisite expertise and the FBI was not willing to share any information. Their focus was on finding and prosecuting offenders. The same FBI shortcomings occur in the control system cyber security space.
- The need to form a bond between IT and Operations was discussed. The idea of embedding IT into the manufacturing operation was raised by several of the attendees.
- There are only a limited number of ICS vendors that cross all industries and all geographic regions. The issues being discussed are not unique to the fab industry but are common to all. Consequently, the meeting and discussions would be very similar if you substitute the words, “electric power”, water”, chemicals”, “food processing” etc for “semiconductor manufacturing”.
- For ICSs, the CIA paradigm is not only backward but is missing the letter “S” for safety. It turns out the equipment manufacturers’ use some very toxic gases and a cyber incident could be deadly to their personnel. There was a similar revelation when I spoke to the food industry (see March 18, 2016 blog).
- The issue of ISO27000 not being adequate for ICS was mentioned. That is why we started ISA99.
- After giving examples of actual ICS cyber incidents, one of the attendees mentioned they also had an ICS cyber incident (this is where I get many of the incidents in my database). This vendor has a lab where they build models of the equipment installed in the field. They were testing a Windows 98 system (this is common in industry where older versions of Windows cannot be upgraded without having to replace the equipment that is using the out-of-date HMI). There was a compromise of a chip that spread throughout the system. It took about 3 months to identify and mitigate the problem. The vendor found there were layers upon layers of systems using devices that didn’t look like computers. It was a significant learning experience. I was also told this type of problem is not uncommon and not unique to any specific equipment vendor.
April 19th, the electric utilities filed a response to FERC on why they should not have to address supply chain issues. Does that sound like a responsible answer for companies’ responsible for providing reliable electric power when the root of the supply chain may not be secure?