Control system cybersecurity is different than IT cybersecurity. It is also more than just network security (IT and OT) which is necessary but not sufficient to secure any control system. There is still confusion as to what constitutes Operational Technology (OT) vs control system cybersecurity and whether control system cyber threats are real. This presentation will address the unique issues with control system cybersecurity, gaps in government policies and industry standards, and a discussion of selected actual control system cyber incidents from multiple industries. Industries include power, water/wastewater, refining, pipelines, buildings, medical device manufacturing, food manufacturing, transportation, etc.
The presentation is an engineer’s view of control system cyber security based on “facts and physics” including the almost 12 million actual control system cyber incidents identified to date. Most of these incidents were not identified as being cyber-related as there is no cyber forensics at Level 0,1 layer nor cyber security training for the control system engineers.
The following items recently occurred that will be addressed:
- CISA held a tabletop exercise at the Salt Lake City Chevron refinery. In 2015, DHS declassified more than 800 pages on the Aurora vulnerability. One of the DHS slides identified the PG&E substations that, if compromised, would damage the Alternating Current (AC) rotating equipment at the Chevron Richmond refinery. The Aurora slides also include how Aurora can damage water systems and natural gas pipeline compressors. These issues are not addressed by American Water Works Association (AWWA) cyber security guidelines for water or TSA cyber security requirements for pipelines.
- The Office of the Director of National Intelligence released a National Intelligence Estimate stating that “China is the world’s leading supplier of advanced grid components for ultra-high-voltage systems, such as transformers, circuit breakers, and inverters, which we assess creates cyber vulnerability risks.” These hardware supply chain issues are not being addressed. Moreover, the NERC CIPs exclude the technical issues needed to address existing hardware backdoors.
- There is no cyber security in process measurements, actuators, drives, analyzers, and safety protocols. A state-of-the-art safety pressure transmitter failed more than 60 of the cyber security requirements in ISA 62443-4-2. How can you be cyber secure, safe, or resilient if you can’t trust what you measure?
A paradigm change will be presented to make intractable OT network problems tractable engineering approaches that can withstand IT network malware including ransomware.
Click here to join the meeting
Joe Weiss
