The existing focus on control system cyber security is not appropriate

May 2, 2018
The focus of control systems is reliability, availability, productivity, and safety which is directly affected by field devices such as process sensors, actuators, and drives. Yet the focus of cyber security has been on networks and data. There is also a lack of understanding of control systems.

The security community has overwhelmed the control system community and common sense has been lost. This gap is why I was willing to do the May 3rd webinar for The Critical Infrastructure Association of America, Inc.

The focus of control systems is reliability, availability, productivity, and safety. Traditionally, risks such as natural events and physical threats have been addressed as part of the design process whereas cyber threats have not. By far, most of the cyber threats to control systems are not malicious in nature. Consequently, these threats and resultant incidents are often ignored by the security community and not understood as being cyber-related by facility Operations. Moreover, many cyber security “solutions” have actually impacted reliability, availability, and/or productivity. Control systems start with process sensing and end with final actuation elements. These are the devices that directly affect reliability, availability, productivity, and safety. These devices are used in the field device networks that have been around since before Ethernet networks. Control systems can continue to work if the Ethernet networks are unavailable though the same can’t be said for the field device networks. However, field device networks generally don’t have cyber security or authentication and often can’t meet network cyber security requirements. Isn’t it ironic that the devices that most directly can cause “boom in the night” have no cyber security?

There is also the lack of understanding about control systems and how they are used. Matthew Horner published an article for the Homeland Security Affairs at the Naval Post Graduate School entitled SCADA Fusion with Commercial Fission. Nuclear power plants don’t have SCADA systems. Can you image going to MacWorld and only wanting to talk about PCs? There really is a difference between DCS and SCADA systems that is obviously not understood by too many people whose roots are in security.

How can you secure what you don’t understand?

Joe Weiss