The gaps preventing cyber securing physical infrastructures

Nov. 16, 2021
Physical infrastructures are monitored and controlled using instrumentation and control systems. Instrumentation monitors the processes and control systems control the physics. Yet, instrumentation and the physics of the processes are often ignored as the focus of security experts is on defending networks. These gaps can, and have, led to a lack of process safety, system reliability, and resiliency. As an example, there is an international industrial network draft standard addressing functional SAFETY that has not addressed cyber security but will probably be approved anyway.  

In preparation for my November 17th presentation to ISA Twin Cities (https://www.controlglobal.com/blogs/unfettered/november-17-2021-twin-cities-isa-education-event-control-system-cybersecurity), I have identified two critical flaws in  cyber security approaches for physical infrastructures (e.g., power, grids, water/wastewater, petrochemical, pipelines, manufacturing, mining, transportation, buildings, medical devices, food manufacturing, defense, etc.). I have not used the term "critical infrastructure" as these issues apply to any physical infrastructure.

Physical infrastructures are monitored and controlled using instrumentation and control systems. Instrumentation monitors the processes and control systems control the physics. Yet, instrumentation and the physics of the processes are often ignored as the focus of security experts is on defending networks. These gaps can, and have, led to a lack of process safety, system reliability, and resiliency.

This failure to appreciate control system cyber security extends to both the network people who don’t look at the engineering aspects of the problem and the engineers who don’t look at the security impacts of the design or installation. As an example, there is an international industrial network draft standard addressing functional SAFETY that has not addressed cyber security but will probably be approved anyway.

I also wanted to add quotes from two instrumentation and control cyber security experts I respect that address these two issues:

- To the network experts: “Just because part of the system is not vulnerable to the threats you are used to seeing does not mean the system is not vulnerable.”

- To the engineers: "I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”

Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.