The SINET Silicon Valley 2022 Conference was held March 24, 2022 with the agenda at https://www.security-innovation.org/events/silicon/agenda/. The attendees were CISOs and senior cyber security personnel from industry and government capped by an appearance by US Secretary of Homeland Security Alejandro Mayorkas. Additionally, there were many venture capitalists funding, or looking to fund, cyber security and data analytics organizations. However, there were no engineering executives participating even though there were CISOs from manufacturing and utility organizations.
Ironically, my colleague, Vytautas Butrimas from the NATO Energy Security Center of Excellence in Lithuania, issued a blog March 25, 2022, stating: “Hey, some advice to all of you computer science trained CISO's and IT cybersecurity professionals responsible for protecting your power utility, petrochemical plants, natural gas or liquid fuel pipelines - get a box of donuts or croissants and hot mugs of latte and seek out your senior plant, safety, control and protection engineers. The ones that you may not have met before or not know very well. Talk about this alert and see what you can do together to make sure your capabilities to monitor and control physical operations that follow the laws of physics and chemistry are ready and resilient to what may be coming (btw, has been coming for some time now).” My response to Vytautus' blog was that for years, we hoped "donut diplomacy" would work. It has in some cases, but not many. As a general statement, it hasn't worked between senior engineering management and the CISOs which was demonstrated by the March 24th SINET Conference.
The SINET conference focused on network data and staffing issues. Consequently, data center physical damage was not considered and surprised the CISOs I met (https://www.controlglobal.com/blogs/unfettered/cyber-vulnerable-uninterruptible-power-supplies-upss-have-caused-physical-damage-to-data-centers). The lack of cyber security in Level 0,1 devices (e.g., process sensors, etc.) was not a consideration, nor was the awareness of the number and consequences of control system cyber incidents (more than 11 million malicious and unintentional control system cyber incidents that have directly resulted in more than 1,500 deaths). The SolarWinds attack demonstrates the gap in control system cyber security understanding. To date, there have been no government discussions addressing the SolarWinds hack on control systems (https://www.lawfareblog.com/solarwinds-hack-can-directly-affect-control-systems). The control system cyber security concerns were not mentioned at this session even though the SolarWinds CISO discussed the incident.
The Level 0,1 issue demonstrates the cultural gaps between networking and engineering that make it impossible to cyber secure physical infrastructures. The engineering community does not feel cyber security affects them and the cyber security community only address Internet Protocol (IP) network data issues. Russia, China, and Iran are well-aware of the technical and cultural gaps in cyber securing physical infrastructures. What will it take for two communities to work together?
Joe Weiss
