1. Home

There is still a gaping hole in understanding ICS cyber security including by "experts"

May 29, 2015

Interent of Things (IOT) “experts” stated that controllers are nothing more than devices on the network, and the key to their protection is making the network as secure as you need the controllers to be.  As noted by Stuxnet, this not correct and there needs to be more vetting of who are ICS cyber security experts.

Many people tell me there is no need for continued awareness about ICS cyber security. Control Design magazine asked 11 Internet of Things (IOT) “experts” how do you protect controllers from a cyber attack (as best as I can tell, there were very few "experts" that actually understood control systems). According to the May 26, 2015 article "How do you protect controllers from cyber attacks?," the experts stated: "Controllers are part of the system when you're thinking of the Internet of Things. They are nothing more than devices on the network, and the key to their protection is making the network as secure as you need the controllers to be." The importance and consequences of end devices in an IT network (eg, cell phones, tablets, laptops) is very different than end devices in a control system network (eg, controllers, sensors, analyzers, drives). That the IT community does not understand the ICS-unique issues is not surprising (though I wish it wasn't). But to have an ICS-focused periodical publish this without questioning the experts is just mind-boggling to me. It is obvious the "experts" didn't understand the controller-unique issues with Stuxnet nor do they understand the unique issues associated with plant and personnel safety.

ISA99 was established to address the unique issues associated with ICS cyber security. This includes not only the Windows-based HMIs, but also the controllers, sensors, drives, analyzers, etc which are technologically and functionally different than IT devices. There are many significant ICS field device vulnerabilities that are device features and can be exploited even with a "secure" network (see Stuxnet). In fact, the three nuclear plant ICS cyber incidents I will be discussing June 4th at the International Atomic Energy Agency’s Cyber Security Conference were selected because the incidents were not network-related.

I hope that Control Design and other like periodicals will reconsider leaving these types of statements stand and to better vet “experts” that are discussing ICS cyber security subjects.

Joe Weiss

Continue Reading

Sponsored Recommendations

2024 Industry Trends | Oil & Gas

We sit down with our Industry Marketing Manager, Mark Thomas to find out what is trending in Oil & Gas in 2024. Not only that, but we discuss how Endress+Hau...

Level Measurement in Water and Waste Water Lift Stations

Condensation, build up, obstructions and silt can cause difficulties in making reliable level measurements in lift station wet wells. New trends in low cost radar units solve ...

Temperature Transmitters | The Perfect Fit for Your Measuring Point

Our video introduces you to the three most important selection criteria to help you choose the right temperature transmitter for your application. We also ta...

2024 Industry Trends | Gas & LNG

We sit down with our Industry Marketing Manager, Cesar Martinez, to find out what is trending in Gas & LNG in 2024. Not only that, but we discuss how Endress...

Latest from Home

Most Read

Sponsored