What Is Control System Cybersecurity and What Are the Appropriate Metrics?

In preparation for the October ICS Control System Cybersecurity Conference, I had a meeting with a utility and a major ICS supplier to initiate a project to secure legacy control systems for reliability (not NERC CIP compliance) considerations. The first question the vendor asked was what quantitative measure was required to secure the legacy systems. This very simple question has lead to a reassessing of what is control system cyber security, how should it be delineated from IT security, and what is actually meant to accomplish. The epiphany was that security can be qualitatively not quantitatively defined but is used in engineering systems that require meeting quantitative goals. Think of what this means to NERC CIP audit function - you are measuring check marks not numbers.

There are several key points:
- Control system reliability and safety can be quantified
- Security may not be able to be quantified
- Control system cyber security is to maintain reliability and safety - an engineering function
- IT security is to protect data - an IT function
- Equipment failure modes are known - cyber threat vectors may not be known
- IT and Operations have different goals
- The CIA triad is reversed for each meaning different technologies are required

Consequently, there are a number of interesting issues that arise:
1) What should be the role of control system cyber security? The distinction between control systems and IT is starting to blur, particularly at the HMI level. Control system reliability and safety can be quantified while security may not be able to be quantified. My proposal would be that control system cyber security focus only on the cyber issues that can affect reliability and/or safety and are quantifiable. There are already quantified reliability and safety criteria. The issue is how cyber incidents (intentional or unintentional) could affect these criteria and how security technology can support meeting existing reliability and safety goals. IT security would support Operations as needed.
2) What should be the role of IT security? IT security would focus on data protection which may not be quantifiable and is an area that IT already has expertise. Operations would support IT as needed.
3) Since control systems cannot be fully secured, there is a need to develop improved robustness, resiliency, and recovery for control systems. Ralph Langner has written a book on this subject. Since control systems were not designed to be secured and may be fairly "brittle" against cyber attacks or unintentional communication issues, it is necessary to be able to recover from these incidents.
4) Since control systems cannot be fully secured, there is a need to develop adequate control system logging and forensics. There is a need to know if a process is being impacted by cyber or to determine if cyber has played a role in unusual operation. Currently, unusual operation may be looked at as a "glitch" and the process restarted without addressing if cyber played a role or could continue to play a role.

There really is a need to rethink what it means to secure a control system.

Joe Weiss