There is still a gaping hole in understanding ICS cyber security including by "experts"

May 29, 2015

Interent of Things (IOT) “experts” stated that controllers are nothing more than devices on the network, and the key to their protection is making the network as secure as you need the controllers to be.  As noted by Stuxnet, this not correct and there needs to be more vetting of who are ICS cyber security experts.

Many people tell me there is no need for continued awareness about ICS cyber security. Control Design magazine asked 11 Internet of Things (IOT) “experts” how do you protect controllers from a cyber attack (as best as I can tell, there were very few "experts" that actually understood control systems). According to the May 26, 2015 article "How do you protect controllers from cyber attacks?," the experts stated: "Controllers are part of the system when you're thinking of the Internet of Things. They are nothing more than devices on the network, and the key to their protection is making the network as secure as you need the controllers to be." The importance and consequences of end devices in an IT network (eg, cell phones, tablets, laptops) is very different than end devices in a control system network (eg, controllers, sensors, analyzers, drives). That the IT community does not understand the ICS-unique issues is not surprising (though I wish it wasn't). But to have an ICS-focused periodical publish this without questioning the experts is just mind-boggling to me. It is obvious the "experts" didn't understand the controller-unique issues with Stuxnet nor do they understand the unique issues associated with plant and personnel safety.

ISA99 was established to address the unique issues associated with ICS cyber security. This includes not only the Windows-based HMIs, but also the controllers, sensors, drives, analyzers, etc which are technologically and functionally different than IT devices. There are many significant ICS field device vulnerabilities that are device features and can be exploited even with a "secure" network (see Stuxnet). In fact, the three nuclear plant ICS cyber incidents I will be discussing June 4th at the International Atomic Energy Agency’s Cyber Security Conference were selected because the incidents were not network-related.

I hope that Control Design and other like periodicals will reconsider leaving these types of statements stand and to better vet “experts” that are discussing ICS cyber security subjects.

Joe Weiss

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.