SINET Silicon Valley Conference – CISOs and Engineering often don’t mix

March 27, 2022
The SINET Silicon Valley 2022 Conference was held March 24, 2022 with the agenda at https://www.security-innovation.org/events/silicon/agenda/. The attendees were CISOs and senior cyber security personnel from industry and government capped by an appearance by US Secretary of Homeland Security. However, there were no engineering executives participating or attending even though there were CISOs from manufacturing and utility organizations. The SINET conference focused on network data and staffing issues. Consequently, data center physical damage and lack of cyber security in process sensors were not considered. The process sensor issue demonstrates how, given the existing cultural gaps, it is impossible to cyber secure ALL physical infrastructures when the engineering community does not feel cyber security affects them and the cyber security community only address Internet Protocol (IP) network data issues. Russia, China, and Iran are well-aware of the technical and cultural gaps in cyber securing physical infrastructures. What will it take for two communities to work together? 

The SINET Silicon Valley 2022 Conference was held March 24, 2022 with the agenda at https://www.security-innovation.org/events/silicon/agenda/. The attendees were CISOs and senior cyber security personnel from industry and government capped by an appearance by US Secretary of Homeland Security Alejandro Mayorkas. Additionally, there were many venture capitalists funding, or looking to fund, cyber security and data analytics organizations. However, there were no engineering executives participating even though there were CISOs from manufacturing and utility organizations.

Ironically, my colleague, Vytautas Butrimas from the NATO Energy Security Center of Excellence in Lithuania, issued a blog March 25, 2022, stating: “Hey, some advice to all of you computer science trained CISO's and IT cybersecurity professionals responsible for protecting your power utility, petrochemical plants, natural gas or liquid fuel pipelines - get a box of donuts or croissants and hot mugs of latte and seek out your senior plant, safety, control and protection engineers. The ones that you may not have met before or not know very well. Talk about this alert and see what you can do together to make sure your capabilities to monitor and control physical operations that follow the laws of physics and chemistry are ready and resilient to what may be coming (btw, has been coming for some time now).”  My response to Vytautus' blog was that for years, we hoped "donut diplomacy" would work. It has in some cases, but not many. As a general statement, it hasn't worked between senior engineering management and the CISOs which was demonstrated by the March 24th SINET Conference.

The SINET conference focused on network data and staffing issues. Consequently, data center physical damage was not considered and surprised the CISOs I met (https://www.controlglobal.com/blogs/unfettered/cyber-vulnerable-uninterruptible-power-supplies-upss-have-caused-physical-damage-to-data-centers). The lack of cyber security in Level 0,1 devices (e.g., process sensors, etc.) was not a consideration, nor was the awareness of the number and consequences of control system cyber incidents (more than 11 million malicious and unintentional control system cyber incidents that have directly resulted in more than 1,500 deaths). The SolarWinds attack demonstrates the gap in control system cyber security understanding. To date, there have been no government discussions addressing the SolarWinds hack on control systems (https://www.lawfareblog.com/solarwinds-hack-can-directly-affect-control-systems). The control system cyber security concerns were not mentioned at this session even though the SolarWinds CISO discussed the incident.

The Level 0,1 issue demonstrates the cultural gaps between networking and engineering that make it impossible to cyber secure physical infrastructures.  The engineering community does not feel cyber security affects them and the cyber security community only address Internet Protocol (IP) network data issues. Russia, China, and Iran are well-aware of the technical and cultural gaps in cyber securing physical infrastructures. What will it take for two communities to work together?

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...