The existing focus on control system cyber security is not appropriate

The security community has overwhelmed the control system community and common sense has been lost. This gap is why I was willing to do the May 3rd webinar for The Critical Infrastructure Association of America, Inc.

The focus of control systems is reliability, availability, productivity, and safety. Traditionally, risks such as natural events and physical threats have been addressed as part of the design process whereas cyber threats have not. By far, most of the cyber threats to control systems are not malicious in nature. Consequently, these threats and resultant incidents are often ignored by the security community and not understood as being cyber-related by facility Operations. Moreover, many cyber security “solutions” have actually impacted reliability, availability, and/or productivity. Control systems start with process sensing and end with final actuation elements. These are the devices that directly affect reliability, availability, productivity, and safety. These devices are used in the field device networks that have been around since before Ethernet networks. Control systems can continue to work if the Ethernet networks are unavailable though the same can’t be said for the field device networks. However, field device networks generally don’t have cyber security or authentication and often can’t meet network cyber security requirements. Isn’t it ironic that the devices that most directly can cause “boom in the night” have no cyber security?

There is also the lack of understanding about control systems and how they are used. Matthew Horner published an article for the Homeland Security Affairs at the Naval Post Graduate School entitled SCADA Fusion with Commercial Fission. Nuclear power plants don’t have SCADA systems. Can you image going to MacWorld and only wanting to talk about PCs? There really is a difference between DCS and SCADA systems that is obviously not understood by too many people whose roots are in security.

How can you secure what you don’t understand?

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • Fully agree. There are so many companies that jumped on OT security without having any relevant experience or footprint in the industry. It means a new market for them, so growth. Their customers often don’t understand the gap. The production people don’t have the security background knowledge, so the IT department is moved forward. They will contact their regular IT service provider. Result many customers today don’t really know their security posture even after paying a lot of money for security and risk assessments. All very PC / network centric, often trying to impress the customer with some metasploit based hack demos. Waste of time and money.

    Reply

  • What would be your recommended approach to cyber security protection for industrial control systems? Some customers read about a viral threat then want to know if they are vulnerable. Of course vendors want to sell expensive solutions but what is reasonable in your opinion?

    Reply

RSS feed for comments on this page | RSS feed for all comments