The gap between network cyber security and control system engineers prevents control systems from being secured

Securing Operational Technology (OT) networks is necessary for control system cyber security. The IT/OT convergence needs to be addressed as both are networking functions even though the distinction is blurring. However, securing IT/OT networks is not sufficient for securing control systems. That is because control systems also consists of field devices (e.g., process sensors, actuators, drives, power supplies, etc.) and field device networks (e.g., HART, Foundation Fieldbus, etc.) that have no security or authentication and yet are the input or final actuation for OT networks. Field devices and field device networks are designed, operated, and maintained by the control system engineers. Securing control systems requires a team effort from OT and control system engineers with the end goal of keeping the process working properly. In general, I don’t see that cooperation happening.

There is a distinct difference in how OT people view control system cyber security compared to control system engineers. To OT, it is about the security of the network, not the actual impact to systems. When OT finds malware or network anomalies, they cannot directly relate those anomalies to specific field equipment such as pumps, valves, motors, relays, etc. As an engineer, if you cannot tell me what specific equipment can be affected and how, what does the disclosure do for me? For the control systems engineer, the focus is the process. Is the process working as designed and is there degradation of the equipment regardless of whether it is malicious or unintentional? The vast majority of control system incidents won’t be cyber-related (at least that is identifiable as being cyber) but it is still critical to know the state of the process. For OT to be of value to the engineers, network cyber security has to help with these issues.

From my observations, the team spirit needed to secure control systems is still not there. This gap includes government, end-users, and solution-providers. I have seen this gap in far too many of my interactions since 2000. September 20th, I attended the SVEN (Silicon Valley Executive Network) cyber security conference in Los Altos, CA. I had a discussion with a Chief Information Security Officer (CISO) from a major cyber security company that provides OT security. His focus was the network, not the process. My focus is the process with networks being secondary. There wasn’t much room for compromise, though there needs to be to at least some degree. September 21st, I met with a critical infrastructure control systems engineer who is now in the IT security department. We talked about the need for monitoring the process sensors. His response was “I’ll review and discuss with my SCADA customers. My actual team is 3 IT Security guys who won’t understand or appreciate any of this.” How can the people responsible for the security of control system not understand the equipment they are responsible for securing?

Control system cyber security is a team sport yet we still don’t have team participation. Until that time, control systems cannot be secured or be maintained in a safe manner.

Joe Weiss