Control system cybersecurity is being discussed but still with misunderstandings
I attended a number of sessions at the February 24-27, 2020 RSA 2020 Cybersecurity Conference in San Francisco. One of the sessions really struck me as getting it right. The session I found most compelling was with Roy Gundy from Johnson and Johnson and Dawn Cappelli from Rockwell Automation. Roy identified that his definition of OT included all engineering, safety, and operations personnel. Roy’s manager, the Vice President of Supply Chain Systems and Solutions, stated that digitalization and control system cybersecurity are important to the Board. This is because digitalization is necessary to get the needed productivity improvements. It was refreshing to see not only the need for control system cybersecurity but also the need for the engineering, supply chain, and networking organizations to work together.
There were many other sessions (including a keynote) that addressed Operational Technology (OT) networks. There were also a number of OT suppliers on the Conference floor. They discussed familiar but important issues. However, there was almost no discussion of the Level 0,1 devices, that is, process sensors, actuators, drives, power supplies, etc. The Level 0,1 issues make control systems different than just being a different type of IP network. They directly affect process safety and have no cybersecurity or cybersecurity forensics. Finally, they are the input to OT networks and are 100% trusted. Yet, in the 20 years I have been associated with control system cybersecurity, there has been almost no research or guidance from DHS or DOE in this area.
Engineering and operations leadership generally are not part of the cybersecurity policy process
For critical infrastructure, the majority of the RSA attendees were from OT network security and were not domain engineers. There were very few senior managers from engineering or operations who attended the RSA Conference. There were more, but still very few, control system or manufacturing floor engineers that attended. There are several lines of thought as to why. As mentioned in my blog, engineering and operations leadership generally are not part of the cybersecurity policy process. If they aren’t involved, how can you expect them to think cybersecurity is important for their engineers? The security attendees thought the engineers weren’t there because they couldn’t get funding approval. I believe many engineers didn’t apply for funding as they did not see it as being relevant to their jobs, especially when their most critical devices are ignored. Moreover, control system cybersecurity issues are international in scope. The Kuwait Oil Company RSA presentation did not address the level 0,1 issues. February 24, the Netherlands held an invited IOT Conference. The same control system-unique issues, particularly Level 0,1, ignored by RSA were also unaddressed at the Netherlands conference.
I attended the Solarium Commission and CyberMoonshot sessions. I do not believe either has addressed some of the more critical unique issues of control systems such as Level 0,1 process sensors and actuators. The primary engineering and operations considerations are reliability, cybersafety, and productivity. However, these are not the primary considerations for the CISOs and network security organizations. As an example, CyberMoonshot was focusing on the next generation Internet and cyber privacy, neither of which are critical for control systems.
With one exception, the ICS Village demonstrations addressed only OT networks. The one exception, Cybati, demonstrated a phenomena that affects the sensors similar to those identified here. There was an ICS Village session led by DHS’ Chris Krebs and Bryson Bort from Sythe. The presenters stated there were 4 pillars of critical infrastructure cyber security – standards, supply chain, work force, and detection and incident response. These 4 pillars are obviously needed. However, the issues that make control systems unique, such as the Level 0,1 devices, are not being adequately addressed. A continuing major gap is the lack of cybersecurity training for the control and safety system engineers, particularly based on actual control system cyber incidents. Detection and incident response cannot be adequately addressed if you can’t trust your process measurements. DHS mentioned they were attending the RSA, SANS, and S4 conferences to get their message out. However, these conferences, including DHS’s own ICSJWG conference, are network security conferences that generally do not generate much engineering or operations attendance.
Keep “lights on” and “water flowing”
There was a “memorial” session for Mike Assante who made great contributions to the industry. I met Mike in 2000 when he was at the American Electric Power Company (AEP) and I was at the Electric Power Research Institute (EPRI). As one of presenters mentioned, Mike conceived and led the Aurora test demonstration at the Idaho National Laboratory in 2007. The test was successful, but industry and DOE’s response was much less so. Mike was also a proponent of addressing Level 0,1 devices. Just like Aurora, that has not been successful either. If the attendees want to honor Mike, they need to follow his lead to keep “lights on” and “water flowing”.
Control system cybersecurity is becoming more “mainstream” since I first started attending RSA in the early 2000’s. However, there is still little discussions of control system-unique engineering issues and engineering participation is still low. You cannot secure control systems without both the networks security and engineering organizations working together. Consequently, it was especially gratifying to me to see end-user companies like Johnson and Johnson who get it.
This article was written by Joseph M. Weiss, an international authority on cybersecurity, control systems, and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more. Originally this article was published here.