OT/control system cybersecurity has changed and not for the better
The following are my personal perspectives, having been involved in control systems and then control system cybersecurity for more than 50 years.
In 1997, I was managing the EPRI Fossil Plant Instrumentation and Control System Program. Our focus was on automating and integrating systems, “eliminating islands of automation” while justifying the need to upgrade from analog to digital control systems. In hindsight, what we were doing was making “cyber-dumb” facilities into “cyber-alive” facilities, but cyber wasn’t a “known” issue yet. In fact, I had an unexpected visit from EPRI’s head of IT asking me to address cybersecurity. I was at that time unaware what cyber meant to control systems, and I was also unaware of the development of Presidential Decision Directive (PDD) 63 that was issued in 1998 stating that all critical infrastructures, including power, were to be cyber secure within five years. That is, cyber secure by 2003, now 21 years ago.
Get your subscription to Control's tri-weekly newsletter.
In 1998, I became the technical lead at EPRI for the Y2K Embedded System Program. This was an unintentional issue with clocks in the microprocessors that, it was feared, could cause global shutdowns across all sectors. (The recent CrowdStrike issue has shown, on a smaller scale, just how such an unintentional issue can proliferate across enterprises and sectors.) Y2K was not malicious but a threat to reliability.
Following the Y2K rollover, EPRI started the control system cybersecurity program because of the potential cyber threats to power plants and the reliability of the grid. In 2000, there were almost no known control system cyberattacks, so the concern was not focused on malicious cyberattacks. I contacted other industries because the electric industry used the same type of control system equipment from the same vendors. I also contacted NIST’s Computer Security Division because there were no control system cybersecurity standards efforts at the time.
At the September 2001 ISA Expo in Houston, ISA held two sessions on control system cybersecurity on Sept. 10. Participants represented the spectrum of industrial and manufacturing organizations including electric power, oil/gas, chemicals, water, food, automotive and even a dog food manufacturer. The sessions that day were for business because “you can’t make things if the control systems don’t work.” National security was not yet an issue (the next day was 9/11 and everything changed) as there were very few known control system cyberattacks:
- The Chinese attempted unsuccessfully to hack into CAISO’s SCADA system
- The Maroochyshire wastewater hack in Australia
- The Farewell Dossier – the hack of Gazprom pipelines
- The Olympic Pipeline rupture occurred in 1999 but was viewed as a backhoe accident and not a cyber incident until in 2008 MITRE’s Marshall Abrams and I did the analysis of the incident for NIST
In 2001, the engineers were focused on the control systems and control system field devices, including process sensors. In 2001, the term “OT” hadn’t been coined yet (Gartner did that in 2006). Consequently, almost all attendees were from engineering with very few IT attendees. These sessions ultimately led to the formation of ISA 99 and the 62443 series of control system cybersecurity standards.
From my experience, there were only three major companies that had robust control system cybersecurity programs. One was a domestic utility where the U.S. Department of Energy (DOE) demonstrated the cyber vulnerability of their generation, transmission, distribution and gas pipelines. The CEO understood the implications and “got it.” In fact, I participated with the utility in training the Secret Service on control system cybersecurity. However, the CEO and his staff were not able to get the other utility CEOs to take control system cybersecurity seriously. This included a meeting with the utility CEOs and the chairman of the military Joint Chiefs of Staff on the concerns with control system cybersecurity.
A European utility was the European leader in control system cybersecurity because the CIO came from SCADA operations and understood the implications. Likewise, a major chemical company was the leader in control system cybersecurity because the CIO came from engineering and understood the implications.
There was one unfortunate commonality with these three companies: When the respected leaders retired, the companies’ focus on control system cybersecurity waned, even though the companies still had a focus on IT cybersecurity. From an overall industry perspective, this lack of focus on control system cybersecurity has led (with the exception of the work ongoing in ISA 84.09) to safety and security not being connected.
Fast forward to Sept. 24, 2024. HouSecCon was held in the same building as the ISA Expo in 2001. Eugene Spafford from Purdue gave the opening keynote. I saw him after his session, and he concurred that we haven’t got very far in addressing control sysem cybersecurity since I spoke at the National Information Assurance Partnership (NIAP) Security Summit in Indianapolis in March 2001.
Paul Veeneman and I gave a presentation, “OT security – the cure is worse than the disease”. There were approximately 90 people in our OT session at HouSecCon. By raising of hands, we were able to determine there was only one process control system engineer. The rest were network security people – a 180-degree change from 2001. This should be a flashing red light to every other OT Cybersecurity Conference that claims to be addressing the cybersecurity of control systems in critical infrastructures. In fact, I was asked what security conferences engineers would attend. The unfortunate answer is that most engineers don’t attend cybersecurity conferences because they don’t believe cyber directly affects them.
Cyber incidents are defined as potential or actual impacts from electronic communication between systems and systems and people (displays) that can affect confidentiality, integrity and availability. However, if the incident does not fit network security’s preconceived view of what is a cyber incident, it doesn’t count. This is why the vast majority of the more than 17 million control system cyber incidents were not identified as being cyber-related. Examples can be seen from our HouSecCon session:
- The pagers and walkie-talkies that were hacked in a kinetic cyberattack in Lebanon and Syria were viewed by many as a supply chain problem. This was because many people felt it was either supply chain or cyber, not both. Since it was evident that it was supply chain issue, many felt it could not be a cyberattack which it actually was. These issues were not discussed by U.S. cybersecurity leaders at the AspenDigital Conference last week.
- 144,500 Ford Mavericks were recalled over concerns that the rearview camera display could show a frozen image while backing up. The recalled 2022-2024 model Maverick trucks have "connected touch radios," according to a Sept. 13 recall report submitted to the National Highway Traffic Safety Administration (NHTSA). In the report, Ford said a frozen rearview camera display image could lead to a "false representation of where the vehicle is relative to its surroundings, increasing the risk of a crash." The automaker linked the potential issue to "improper memory handling" within the connected touch radio software, resulting in delayed images being displayed. This was a control system cyber incident, though NHTSA never used the word “cyber”. Even though unintentional, this situation was similar to the man-in-the middle attack with Stuxnet used to mislead the operators.
- The Arkansas City water treatment plant ransomware attack was discussed in detail but not the water industry control system cyber incidents that caused real impacts. It was also identified that the Oldsmar cyber incident that spawned the EPA cybersecurity requirements was not a cyberattack but user error (this was new to most attendees) and the Colonial Pipeline incident that spawned the TSA pipeline cybersecurity requirements does not address cyber-related pipeline ruptures only network security issues.
- I had a discussion with a CISA representative who came from being the NERC CIP utility lead. The CISA representative stated only once did an electrical engineer attend a NERC CIP meeting. The engineer attended for five minutes and left as it was irrelevant to the engineer’s work of keeping lights on. The HouSecCon conference had many organizations whose focus was compliance not security. Control system cybersecurity training is needed. There are some public and private efforts. However, none are adequately addressing process sensors and actuators. Many people approached me after the session asking how to get the engineering and network security organizations to work together demonstrating this gap between engineering and network security.
Summary
To be fair, there has been significant progress in securing IT and OT networks. However, one would think that after 23 years, the “OT” security community would be further along in securing critical infrastructures from control system and other kinetic cyber incidents. Having said that, there is still hope. My presentation to the American Petroleum Institute (API) Cybersecurity Conference Nov. 12, 2024, in Houston will be on cybersecurity of process sensors. The Institute for Homeland Security at Sam Houston State University published my paper, which seems to be going viral. Hopefully, there may be light at the end of the tunnel.
Leaders relevant to this article: