"Swiss Army Knife" for safety systems - is it a feature or a vulnerability

On Tuesday, a major control and safety system vendor held a webinar on cyber security of safety systems - "The rocky relationship between safety and security". The vendor talked about the network issues that needed to be considered, limitations on read/write, etc. However, the diagram that was shown on the webinar had the control and safety systems on the same Ethernet LAN. I talked to the vendor about it. His response was their design was like a "Swiss Army Knife" (a feature).
Nov. 8, 2012
2 min read

On Tuesday, a major control and safety system vendor held a webinar on cyber security of safety systems - "The rocky relationship between safety and security". The vendor talked about the network issues that needed to be considered, limitations on read/write, etc. However, the diagram that was shown on the webinar had the control and safety systems on the same Ethernet LAN. I talked to the vendor about it. His response was their design was like a "Swiss Army Knife" (a feature). That is, they were giving their users flexibility on how they wanted to implement their safety and control systems. As a nuclear engineer, the concept of mixing safety and control on the same network is not acceptable - period. Moreover, at the recent ICS Cyber Security Conference, a utility discussed their major control system cyber incident where they lost all logic in every DCS processor with the plants at power. The hard-wired analog safety systems prevented significant plant damage as they were independent of the affected plant control systems. I find the vendor doing a disservice to their customers to even imply that mixing safety and control would be acceptable. I was very surprised no one brought up the concern of mixing control and safety during the presentation or subsequent question-answer session. When vendors know there are potential cyber vulnerabilities in their "features", I feel they owe their customers some form of notification.

Joe Weiss

About the Author

Joe Weiss

Cybersecurity Contributor

Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. Formerly of KEMA and EPRI, Joe is an international authority on cybersecurity. You can contact him at [email protected]

Sign up for Control eNews
Get the latest news and updates