Will the next administration finally address control system cybersecurity?

Addressing critical infrastructure (control system) cybersecurity started with the issuance of Presidential Decision Directive (PDD) 63 by President Bill Clinton in 1998. According to PDD63, the critical infrastructures were to be cyber-secure within five years of issuance of the PDD – 2003. Yet control system cybersecurity still has not been adequately addressed by the intervening Democratic and Republican administrations.

Much has improved in securing and monitoring operational technology (OT) networks, but monitoring and securing control system field devices such as process sensors, actuators, and drives have not been adequately addressed. In fact, addressing control system field device cybersecurity has regressed since I helped start the control system cybersecurity program for the electric utilities in 2000.

Get your subscription to Control's tri-weekly newsletter.

The previous administration issued myriad reports, presidential executive orders (EOs) and vulnerability disclosures on internet protocol (IP) networks and devices. However, none of those reports addressed the distinctive issues associated with control system field devices—process sensors, actuators, drives, etc.—as such devices physically cannot meet many of the requirements set forth in IP network cybersecurity requirements. Yet control system field devices are what makes control system cybersecurity different than network security and are where safety is paramount.

The Chinese backdoors in large electric power transformers and port cranes were relegated to secondary importance behind Volt Typhoon and Salt Typhoon. As a result, more than 125 large Chinese transformers were purchased by US electric utilities after EO 13920 was suspended in 2001 despite the findings of the Sandia National Laboratory Top Secret report on a large Chinese transformer.

The previous administration limited the response to Iranian hacks of Unitronics controllers to the U.S. water sector, even though these controllers also were compromised in other U.S. sectors including food, ports and healthcare. Moreover, the CISA response was limited to the IP network issues of default passwords and did not address the possible compromise of the controller logic, which is what occurred with the Iranian nuclear centrifuges (Stuxnet).

I did a word search on the Jan. 16, 2025, EO on Strengthening and Promoting Innovation in the Nation’s Cybersecurity on the terms “OT”, Operational Technology”, “control systems”, “ICS”, “Industrial Control Systems”, “SCADA”, and “PLC”.  None were mentioned. The only mention in the EO on either OT or control systems was:

“This pilot program, and accompanying assessment, may include vulnerability detection, automatic patch management, and the identification and categorization of anomalous and malicious activity across information technology (IT) or operational technology systems.”

As stated, this EO builds on the foundational steps in EO 14028 of May 12, 2021 (Improving the Nation’s Cybersecurity), and the initiatives detailed in the National Cybersecurity Strategy. Unfortunately, neither EO nor the national strategy addressed control systems field devices or other control system hardware issues.

The government and industry focus continues to be on IP network security issues. Though important, this focus will not fully protect the control systems used throughout our critical infrastructures. Will the next administration finally address control system-unique issues in an adequate manner?