In preparation for my November 17th presentation to ISA Twin Cities (https://www.controlglobal.com/blogs/unfettered/november-17-2021-twin-cities-isa-education-event-control-system-cybersecurity), I have identified two critical flaws in cyber security approaches for physical infrastructures (e.g., power, grids, water/wastewater, petrochemical, pipelines, manufacturing, mining, transportation, buildings, medical devices, food manufacturing, defense, etc.). I have not used the term "critical infrastructure" as these issues apply to any physical infrastructure.
Physical infrastructures are monitored and controlled using instrumentation and control systems. Instrumentation monitors the processes and control systems control the physics. Yet, instrumentation and the physics of the processes are often ignored as the focus of security experts is on defending networks. These gaps can, and have, led to a lack of process safety, system reliability, and resiliency.
This failure to appreciate control system cyber security extends to both the network people who don’t look at the engineering aspects of the problem and the engineers who don’t look at the security impacts of the design or installation. As an example, there is an international industrial network draft standard addressing functional SAFETY that has not addressed cyber security but will probably be approved anyway.
I also wanted to add quotes from two instrumentation and control cyber security experts I respect that address these two issues:
- To the network experts: “Just because part of the system is not vulnerable to the threats you are used to seeing does not mean the system is not vulnerable.”
- To the engineers: "I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”