The gaps preventing cyber securing physical infrastructures

Nov. 16, 2021
Physical infrastructures are monitored and controlled using instrumentation and control systems. Instrumentation monitors the processes and control systems control the physics. Yet, instrumentation and the physics of the processes are often ignored as the focus of security experts is on defending networks. These gaps can, and have, led to a lack of process safety, system reliability, and resiliency. As an example, there is an international industrial network draft standard addressing functional SAFETY that has not addressed cyber security but will probably be approved anyway.  

In preparation for my November 17th presentation to ISA Twin Cities (https://www.controlglobal.com/blogs/unfettered/november-17-2021-twin-cities-isa-education-event-control-system-cybersecurity), I have identified two critical flaws in  cyber security approaches for physical infrastructures (e.g., power, grids, water/wastewater, petrochemical, pipelines, manufacturing, mining, transportation, buildings, medical devices, food manufacturing, defense, etc.). I have not used the term "critical infrastructure" as these issues apply to any physical infrastructure.

Physical infrastructures are monitored and controlled using instrumentation and control systems. Instrumentation monitors the processes and control systems control the physics. Yet, instrumentation and the physics of the processes are often ignored as the focus of security experts is on defending networks. These gaps can, and have, led to a lack of process safety, system reliability, and resiliency.

This failure to appreciate control system cyber security extends to both the network people who don’t look at the engineering aspects of the problem and the engineers who don’t look at the security impacts of the design or installation. As an example, there is an international industrial network draft standard addressing functional SAFETY that has not addressed cyber security but will probably be approved anyway.

I also wanted to add quotes from two instrumentation and control cyber security experts I respect that address these two issues:

- To the network experts: “Just because part of the system is not vulnerable to the threats you are used to seeing does not mean the system is not vulnerable.”

- To the engineers: "I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”

Joe Weiss

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.