Control systems are used to monitor and control physical processes. Measured variables include pressure, temperature, level, flow, voltage, current, resistance, power, weight (mass), speed, distance, direction, chemical composition, strain, size, color, radiation, etc. Control systems compare the measured variables to a setpoint. For example, the control system checks the temperature to see if it is too high or too low and automatically adjusts conditions so the temperature returns to the desired value. It should be obvious these variables and this type of control is used by multiple types of organizations and for multiple types of processes.
The term Industrial Control Systems (ICS) was coined about 10 years ago to be a general term for the control systems used in all industries. This was because the major control system vendors, eg, GE, Siemens, Rockwell, ABB, Honeywell, Emerson, Schneider, etc. supply industrial process control systems to multiple industries – electric, water, oil/gas, pipelines, manufacturing, nuclear, etc. As ISA is process industry-focused and after significant discussion, ISA adopted the name for the ISA99 control system cyber system security committee to be Industrial Automation and Control Systems Security. However, control systems are used in applications beyond just industrial control and automation. Control systems are used in automotive, building automation, defense, entertainment, food and agriculture, medical devices, transportation, etc. I believe the use of the term “industrial” has led to the lack of many organizations adopting the work of ISA99. Moreover, I believe the DOE and DHS cyber security roadmap efforts for specific industries led those industries to believe they were unique with no need to collaborate with other industries.
My discomfort with the term “industrial” culminated when I attended the Air Force IT Conference and gave two presentations (see 9/2/16 blog). I felt uncomfortable because I was presenting “industrial” control system security to DOD and had to explain its relevance even though DOD is a very large user of control systems. This week I had discussions with an entertainment company that uses Rockwell PLC’s. Rockwell’s documentation extensively uses the term “manufacturing” so the entertainment company considered the information irrelevant – the entertainment company only manufactured smiles. Consequently, using the term “industrial” control system cyber security to this entertainment company is difficult at best even though they are using control systems that would be considered “industrial” control systems.
I would like to propose the term “physical process control and monitoring” to replace industrial control systems since control systems monitor and control any physical process. I would encourage end-users of control systems to not be turned off by the term “industrial” control systems and consider that control system cyber security information from any industry can be relevant.
Joe Weiss