The gaps preventing cyber securing physical infrastructures

Nov. 16, 2021
Physical infrastructures are monitored and controlled using instrumentation and control systems. Instrumentation monitors the processes and control systems control the physics. Yet, instrumentation and the physics of the processes are often ignored as the focus of security experts is on defending networks. These gaps can, and have, led to a lack of process safety, system reliability, and resiliency. As an example, there is an international industrial network draft standard addressing functional SAFETY that has not addressed cyber security but will probably be approved anyway.  

In preparation for my November 17th presentation to ISA Twin Cities (https://www.controlglobal.com/blogs/unfettered/november-17-2021-twin-cities-isa-education-event-control-system-cybersecurity), I have identified two critical flaws in  cyber security approaches for physical infrastructures (e.g., power, grids, water/wastewater, petrochemical, pipelines, manufacturing, mining, transportation, buildings, medical devices, food manufacturing, defense, etc.). I have not used the term "critical infrastructure" as these issues apply to any physical infrastructure.

Physical infrastructures are monitored and controlled using instrumentation and control systems. Instrumentation monitors the processes and control systems control the physics. Yet, instrumentation and the physics of the processes are often ignored as the focus of security experts is on defending networks. These gaps can, and have, led to a lack of process safety, system reliability, and resiliency.

This failure to appreciate control system cyber security extends to both the network people who don’t look at the engineering aspects of the problem and the engineers who don’t look at the security impacts of the design or installation. As an example, there is an international industrial network draft standard addressing functional SAFETY that has not addressed cyber security but will probably be approved anyway.

I also wanted to add quotes from two instrumentation and control cyber security experts I respect that address these two issues:

- To the network experts: “Just because part of the system is not vulnerable to the threats you are used to seeing does not mean the system is not vulnerable.”

- To the engineers: "I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...