SINET Silicon Valley Conference – CISOs and Engineering often don’t mix

March 27, 2022
The SINET Silicon Valley 2022 Conference was held March 24, 2022 with the agenda at https://www.security-innovation.org/events/silicon/agenda/. The attendees were CISOs and senior cyber security personnel from industry and government capped by an appearance by US Secretary of Homeland Security. However, there were no engineering executives participating or attending even though there were CISOs from manufacturing and utility organizations. The SINET conference focused on network data and staffing issues. Consequently, data center physical damage and lack of cyber security in process sensors were not considered. The process sensor issue demonstrates how, given the existing cultural gaps, it is impossible to cyber secure ALL physical infrastructures when the engineering community does not feel cyber security affects them and the cyber security community only address Internet Protocol (IP) network data issues. Russia, China, and Iran are well-aware of the technical and cultural gaps in cyber securing physical infrastructures. What will it take for two communities to work together? 

The SINET Silicon Valley 2022 Conference was held March 24, 2022 with the agenda at https://www.security-innovation.org/events/silicon/agenda/. The attendees were CISOs and senior cyber security personnel from industry and government capped by an appearance by US Secretary of Homeland Security Alejandro Mayorkas. Additionally, there were many venture capitalists funding, or looking to fund, cyber security and data analytics organizations. However, there were no engineering executives participating even though there were CISOs from manufacturing and utility organizations.

Ironically, my colleague, Vytautas Butrimas from the NATO Energy Security Center of Excellence in Lithuania, issued a blog March 25, 2022, stating: “Hey, some advice to all of you computer science trained CISO's and IT cybersecurity professionals responsible for protecting your power utility, petrochemical plants, natural gas or liquid fuel pipelines - get a box of donuts or croissants and hot mugs of latte and seek out your senior plant, safety, control and protection engineers. The ones that you may not have met before or not know very well. Talk about this alert and see what you can do together to make sure your capabilities to monitor and control physical operations that follow the laws of physics and chemistry are ready and resilient to what may be coming (btw, has been coming for some time now).”  My response to Vytautus' blog was that for years, we hoped "donut diplomacy" would work. It has in some cases, but not many. As a general statement, it hasn't worked between senior engineering management and the CISOs which was demonstrated by the March 24th SINET Conference.

The SINET conference focused on network data and staffing issues. Consequently, data center physical damage was not considered and surprised the CISOs I met (https://www.controlglobal.com/blogs/unfettered/cyber-vulnerable-uninterruptible-power-supplies-upss-have-caused-physical-damage-to-data-centers). The lack of cyber security in Level 0,1 devices (e.g., process sensors, etc.) was not a consideration, nor was the awareness of the number and consequences of control system cyber incidents (more than 11 million malicious and unintentional control system cyber incidents that have directly resulted in more than 1,500 deaths). The SolarWinds attack demonstrates the gap in control system cyber security understanding. To date, there have been no government discussions addressing the SolarWinds hack on control systems (https://www.lawfareblog.com/solarwinds-hack-can-directly-affect-control-systems). The control system cyber security concerns were not mentioned at this session even though the SolarWinds CISO discussed the incident.

The Level 0,1 issue demonstrates the cultural gaps between networking and engineering that make it impossible to cyber secure physical infrastructures.  The engineering community does not feel cyber security affects them and the cyber security community only address Internet Protocol (IP) network data issues. Russia, China, and Iran are well-aware of the technical and cultural gaps in cyber securing physical infrastructures. What will it take for two communities to work together?

Joe Weiss

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.