Many people tell me there is no need for continued awareness about ICS cyber security. Control Design magazine asked 11 Internet of Things (IOT) “experts” how do you protect controllers from a cyber attack (as best as I can tell, there were very few "experts" that actually understood control systems). According to the May 26, 2015 article "How do you protect controllers from cyber attacks?," the experts stated: "Controllers are part of the system when you're thinking of the Internet of Things. They are nothing more than devices on the network, and the key to their protection is making the network as secure as you need the controllers to be." The importance and consequences of end devices in an IT network (eg, cell phones, tablets, laptops) is very different than end devices in a control system network (eg, controllers, sensors, analyzers, drives). That the IT community does not understand the ICS-unique issues is not surprising (though I wish it wasn't). But to have an ICS-focused periodical publish this without questioning the experts is just mind-boggling to me. It is obvious the "experts" didn't understand the controller-unique issues with Stuxnet nor do they understand the unique issues associated with plant and personnel safety.
ISA99 was established to address the unique issues associated with ICS cyber security. This includes not only the Windows-based HMIs, but also the controllers, sensors, drives, analyzers, etc which are technologically and functionally different than IT devices. There are many significant ICS field device vulnerabilities that are device features and can be exploited even with a "secure" network (see Stuxnet). In fact, the three nuclear plant ICS cyber incidents I will be discussing June 4th at the International Atomic Energy Agency’s Cyber Security Conference were selected because the incidents were not network-related.
I hope that Control Design and other like periodicals will reconsider leaving these types of statements stand and to better vet “experts” that are discussing ICS cyber security subjects.
Joe Weiss
