There is still a gaping hole in understanding ICS cyber security including by "experts"

Many people tell me there is no need for continued awareness about ICS cyber security. Control Design magazine asked 11 Internet of Things (IOT) “experts” how do you protect controllers from a cyber attack (as best as I can tell, there were very few "experts" that actually understood control systems). According to the May 26, 2015 article "How do you protect controllers from cyber attacks?," the experts stated: "Controllers are part of the system when you're thinking of the Internet of Things. They are nothing more than devices on the network, and the key to their protection is making the network as secure as you need the controllers to be." The importance and consequences of end devices in an IT network (eg, cell phones, tablets, laptops) is very different than end devices in a control system network (eg, controllers, sensors, analyzers, drives). That the IT community does not understand the ICS-unique issues is not surprising (though I wish it wasn't). But to have an ICS-focused periodical publish this without questioning the experts is just mind-boggling to me. It is obvious the "experts" didn't understand the controller-unique issues with Stuxnet nor do they understand the unique issues associated with plant and personnel safety.

ISA99 was established to address the unique issues associated with ICS cyber security. This includes not only the Windows-based HMIs, but also the controllers, sensors, drives, analyzers, etc which are technologically and functionally different than IT devices. There are many significant ICS field device vulnerabilities that are device features and can be exploited even with a "secure" network (see Stuxnet). In fact, the three nuclear plant ICS cyber incidents I will be discussing June 4th at the International Atomic Energy Agency’s Cyber Security Conference were selected because the incidents were not network-related.

I hope that Control Design and other like periodicals will reconsider leaving these types of statements stand and to better vet “experts” that are discussing ICS cyber security subjects.

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p>I think the key is the understanding of the emphasis in this statement "the key to their protection is making the network as secure as you need the controllers to be". I believe the last part is key... how valuable is securing your network? It is as valuable as securing the controller! I'll admit that I'm presuming that the answer to the question is "yes, securing my controllers is critical, and therefore securing my network is critical". </p>

    Reply

RSS feed for comments on this page | RSS feed for all comments