Given the virtual world we live in, I am able to support two important cyber security conferences – June 8th is the Cyber Observatory IOT and ICS Conference and June 8th and 9th is the New York State Cyber Security Conference. As control system-unique cyber issues are still misunderstood by many in the mainstream cyber security community, my presentations will be an engineer’s view of control system cyber security with a focus on actual impacts.
There have been almost 12 million control system cyber incidents. Yet there has been an alarming reticence for government and industry to identify control system cyber incidents as being “cyber”. Examples include the 2003 Davis Besse Slammer worm incident where NRC wouldn’t use the word “cyber” or the more than 350 control system cyber incidents in the North American electric system that NERC wouldn’t identify as “cyber”. Even the most recent NERC Lessons Learned refuses to call a power plant control system incident that affected the entire Eastern Interconnect a cyber incident. This event started with 200MW swings because a sensor and control system problem at a power plant in Florida and ended up with 50 MW swings in New England! (https://www.controlglobal.com/blogs/unfettered/process-sensor-issues-continue-to-be-ignored-and-are-placing-the-country-at-extreme-risk). Consequently, it should be evident that government initiatives that require identification of control system cyber incidents aren’t being met. This should be of concern given the increasing cyber oversight by insurance and credit rating agencies.
To date, the government guidance provided following control system cyber incidents has been generic such as don’t connect IT and OT networks or do good cyber hygiene but does not address the root cause of the incidents. The lack of providing guidance for the root cause has two ramifications: a false sense of security by only doing the basics and not addressing the root cause leaves the facilities open for the incidents to recur. Moreover, most of the root causes were not unique to just one facility.
Control system devices such as process sensors, actuators, and drives have no cyber security, authentication, or cyber logging and so it takes more than just network security to address them. Additionally, these devices are not capable of meeting the requirements in the Cybersecurity Executive Order (EO) 14028 or the TSA pipeline cyber security requirements. Understanding control system cyber security is critical as Russia, China, and Iran are aware of these deficiencies and some of these gaps are currently being exploited.
June 8th, I will be giving a keynote at the Cyber Observatory IOT and ICS conference (https://www.cyberinnovationsummits.com/industrial-cybersecurity-iiot-event/). I also will be participating in an executive roundtable – “The critical infrastructure supply chain: how can this massive operational and cyber security challenge be addressed?” The Chinese hardware backdoors in large electric transformers bring up hardware challenges that do not appear to be addressed in the ongoing supply chain initiatives.
June 8th, I will also be participating in a panel session at the New York State (NYS) Cyber Security Conference at 11AM Eastern with Matt Nielsen of GE R&RD and Sanjay Goel from SUNY Albany. The panel will address: Threats to the Energy Infrastructure of the United States”. The panel will discuss some of the recent cyberattacks on our power grid and what if should we be doing to mitigate the threat to our power infrastructure.
June 9th I will be giving a keynote at the 2021 NYS Cyber Security Conference (2021 NYS Cyber Security Conference) is held in conjunction with the Annual Symposium on information Assurance (http://www.albany.edu/iasymposium). My presentation will provide an engineer’s complement to Kevin Mandia’s Tuesday June 9th keynote on the state of cyber security.
The presentations will address some of the most significant recent control system cyber security incidents: SolarWinds and its impact on control systems, the Chinese hardware backdoors in large electric transformers, Chinese hidden control system networks in a pharma facility, the Colonial Pipeline hack, the Oldsmar water hack, counterfeit process sensors, and building hacks. It will identify some of the gaps between real incidents and EO 14028 and the TSA pipeline requirements. The presentation will provide recommendations to improve control system cyber security.
Joe Weiss