Over the past several months, Joe Weiss of Realtime ACS, who writes our Joe Weiss Unfettered blog, and I have gotten repeatedly embroiled in a discussion about control system cybersecurity. Many IT security professionals now profess to be industrial cyber security experts because they understand SCADA and have worked for years in enterprise IT and enterprise cybersecurity. But as Joe and I have pointed out, it takes more than that to function properly in the industrial controls environment.
Control systems control the industrial infrastructure. Control system engineers are system engineers, Weiss wrote. Consequently, they are conversant in control theory, electrical engineering, mechanical engineering, chemistry, physics, computer programming and, for nuclear plants, nuclear engineering. Without this expertise, they cannot adequately assure the control systems can control the process adequately and safely.
It is clear that control systems, whether they are machine controllers, cell control systems, single-loop control systems, DCS systems or SCADA systems, have their own sets of issues that people skilled only in computer science, who only have worked in enterprise IT, do not have the expertise to understand.
So, what do we do about it?
Well one of the things we can do is to recognize the situation for what it is, instead of sticking heads in the sand and arguing that just because the horse has stripes, it isnt a zebra.
The obvious next thing is how do we educate IT experts in the arcane ways of automation, and just as important, how do we educate automation professionals about the lessons two generations of IT professionals have learned about security?
We have to do both of those things, or we will be guilty of endangering our critical infrastructureand all the millions of people who depend on it for their daily lives.
Id like to point out that an easy first step is drawing lines in responsibility, said Nathan Boerger in a blog comment on Soundoff!. This is a bit oversimplified, but Ive been successful in the past with a little communication on both endsIT guards and configures the network and servers; automation experts deal with hardware and PLC programming. Distributed control clients fall in the middle, but thats not too difficult a problem. A little recognition and communication goes a long way as a starting point. Then it becomes a matter of training.
Responsibility. Benchmarking. Training.
Automation is a multidisciplinary profession. People come to it from many backgrounds and training and experience modalities. Automation professionals need to remember that IT security experts are just that, expert. They can teach us a lot. And IT security professionals need to remember that automation and control system experts are able to teach them too.
Control systems are different yes, they are!