Why the Bridge Still Needs to be Built Between Operations and IT

June 3, 2014

To many in the IT community, the gap in understanding industrial control system cyber security is gaping. I was drawn to a May 29th Dark Reading article titled “Large Electric Utilities Earn High Security Scores as the title seemed to be at odds with what I have seen. The statements made in that article simply do not represent reality.

To many in the IT community, the gap in understanding industrial control system cyber security is gaping. I was drawn to a May 29th Dark Reading article titled “Large Electric Utilities Earn High Security Scores”, http://www.darkreading.com/vulnerabilities---threats/large-electric-utilities-earn-high-security-scores/d/d-id/1269299? - as the title seemed to be at odds with what I have seen. Selected snippets from the article are below, along with my responses:

"I was looking for utilities to do poorly. But what we learned here is it's mostly SCADA systems that have their [security] issues.  The largest utilities in the S&P 500 are pretty high-performing" when it comes to securing their networks, says Stephen Boyer, founder and CTO of BitSight, which tracks malicious traffic on the Internet. Beyond those small utilities that have a lot of problems, the larger ones are pretty sophisticated. They are pretty good at segmentation and responding very quickly to threats, he says.”

Response: This lack of understanding of the importance of control systems keeps recurring in IT circles. The statement, “it’s mostly the SCADA systems that have security issues” demonstrates Stephen Boyer’s lack of understanding of utility (industrial) operations. “SCADA” (industrial control systems) are what industrial organizations use to produce or distribute products. Making a statement about size is also inappropriate as utilities are interconnected – big and small. There are more than enough small facilities (power plants and substations) that are not being addressed for cyber security (i.e., the NERC CIPs) to cause a very significant impact on the overall grid. Moreover, the only two utilities acting as test beds for Aurora and control system cyber security are small utilities, not big ones. Since there are minimal control system cyber forensics or training to compensate for the lack of cyber forensics, it is difficult to respond to a threat they don’t even know exists.

"Large investor owned utili­ties have fairly sophisticated security practices. Like large financial institutions, they have significant security bud­gets and cyber risk has exec­utive level visibility," said Dave Dalva, vice president of security science at Stroz Friedberg, in a statement in BitSight's report, published this week.”

Response: Dave’s statement may make sense for the large investor-owned utilities business IT systems. However, all anecdotal information I have seen indicates there is not enough resources or attention being paid to control systems (in almost all industries). This past February I gave a presentation at a utility industry conference for insurers and risk managers. It was evident at that conference that the attendees did not understand the control system cyber security risk to their companies.

“ICS/SCADA systems notoriously suffer from security shortcomings mainly due to plant operators' priority of operations and safety, rarely patching and updating software for fear of disrupting the power supply or manufacturing process, for instance.”

Response: The implication is that plant operators are too focused on safety and reliability. Where is the problem!? The real question is why isn’t IT focused on this also?

BitSight gathered the data for its analysis via its global sensors on the Internet that detect botnet and other malicious traffic, and tracks malware and the duration of its presence on systems for its customers.”

Response: IT views security as Windows, the Internet, malware, botnets, etc. While these may also be issues for control systems, there are others that are more significant. Moreover, the real issues are what is happening on the control system networks, not just the Corporate networks. BitSight (and others) aren’t even looking there. That is why a Wall Street Journal article of several years ago claiming that China was in the utilities’ networks didn’t make sense as the control system networks weren’t instrumented. How would anyone know? The utility control system cyber security test bed is instrumenting the control system network. The results of what is really happening there should be interesting.

Utilities are mostly plagued by a family of Trojans called Redyms (26%), which redirect search engine results, Zeus (15%), Zero Access (13%), Cutwail (8%), and Confickr (8%).

Response: These are IT Trojans. Why wasn’t Stuxnet, Aurora, HART vulnerabilities, etc addressed? These are the control system cyber security issues.

When people complain that operators are too focused on safety and reliability I don’t know whether to laugh or cry.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...