The Applied Control Solutions 2007 Control Systems Cyber Security Workshop was held August 13-16 in
Knoxville, TN. There were more than 100 attendees representing domestic and international commercial and government communities. The commercial attendees included representatives from electric, gas, and water utilities; chemical companies; pipelines, and vendors. Government attendees represented DHS, the DOE national laboratories, NIST, regulators from FERC, NERC, and NRC, and law enforcement. International representation included the United Nations, Japan, Malaysia, Canada, the UK, Sweden, Finland, and the
Netherlands.
There has been very little attention paid to the cyber security of legacy field devices such as PLCs, RTUs, IEDs, and smart process instrumentation. Consequently, the Workshop had several presentations and discussions on the cyber security of these devices.
Items of interest included:
- The definition of a cyber incident was presented to demonstrate how overarching the existing definition is.
Cyber Incident - An occurrence that actually
or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation
orimminent threat of violation of security policies, security procedures, or acceptable use policies. Incidents may be intentional
or unintentional. (FIPS PUB 200,
Minimum Security Requirements for Federal Information and Information System, March 2006.)
- Demonstration of generic Internet Control Message Protocol (ICMP) vulnerabilities illustrated that cyber vulnerabilities could reside in third party products such as IP stacks used by control system suppliers. Security requirements need to flow through to sub-contractors.
- Three utilities identified specific control system cyber security needs that vendors are not meeting nor is existing R&D addressing.
- FERC is requesting comments on the Notice of Public Rulemaking (NOPR) on the NERC CIP cyber security standards from individuals and organizations (
http://www.ferc.gov/industries/electric/indus-act/reliability/cip.asp)
- Presented a detailed analysis of a control system cyber event that resulted in deaths and significant damage was presented. The case history addressed the cause of the event as best as could be determined with the limited forensics, identified the NIST SP800-53 controls that were violated that enabled the event to occur, and identified the NIST SP800-53 controls that could have prevented the event.
- Additionally several industrial accidents that were not cyber-induced were examined to determine if it would have been possible to have caused them by cyber. Three of the 4 cases identified could have been caused by cyber alone.
- Recognition that vulnerabilities and impact are more important than likelihood.
- Identified the need for control system forensics and questioned whether law enforcement could collect evidence without affecting control system restart and operation or the organization. A batch process and a utility may have different requirements.
- Identified the continuing need for senior management support.
- Identified communication systems capabilities and vulnerabilities, specifically radio, that can affect control system cyber security.
- Prepared a poster session on standards organizations control system cyber security efforts was held with 10 organizations responding.
Tentatively, next year's Control System Cyber Security Workshop will be held the first or second week of August in the
Chicago area and will be co-hosted by Argonne National Laboratory. The workshop will focus on infrastructure interdependencies and is expected to include an interactive tabletop exercise that explores cyber- and interdependencies-related issues.
Joe Weiss