May/June 2020

Concepts
Attention Policymakers: Cybersecurity Is More than an IT Issue

BY JOSEPH M. WEISS, P.E.

Cybersecurity policy has been based on preventing malicious attacks against IT data networks for more than 20 years. With all of the money and attention paid to IT cybersecurity, the problem is still far from a solution. Meanwhile, control system cybersecurity is arguably 5–10 years behind IT security. And even though control system cybersecurity has a great potential for internal damage and public harm, it receives much less management attention and funding.

Control system cybersecurity is meant to keep lights on, water flowing, pipes from breaking, trains from crashing, and so on. A major obstacle exists, however: a vast communication and culture gap between IT/operational technology (OT) and engineering/control systems organizations.

Control system cyberimpacts are real. There have been more than 1,200 actual control system cyberincidents to date, with more than 1,500 deaths and more than $70 billion in direct damages. The impacts include pipe ruptures, refinery explosions, train crashes, plane crashes, and major electric outages. All were caused by electronic communications between control systems.

Cybersecurity policymakers have assumed that control systems are simply another type of IT infrastructure and, therefore, IT policies, technologies, training, and testing methodologies apply. This is not true. There have been numerous cases where IT security policies, procedures, technology, and/or testing have impacted control system operation, sometimes actually damaging control systems.

Generally, cybersecurity is under the purview of the CIO and/or the CISO. Yet, in most cases, these positions have no responsibility for the design, procurement, operation, or maintenance of plant/facility equipment and control systems. However, the VPs who manage areas such as power production, power delivery, manufacturing, refining, and data centers, typically have no input on the cybersecurity of these systems. Simply trying to get people from engineering and IT/OT to work together on their own has not worked.

Governance of control system cyber-security is doomed when it does not explicitly require engineering and IT/OT to work together. OT network cybersecurity shares aspects of traditional IT cybersecurity; however, control systems are different than IT/OT networks in many crucial ways that policymakers need to understand. Clearly, appropriate policies, procedures, training, and monitoring are needed.

The cybersecurity challenge is made even more difficult because cyberattacks can be difficult to recognize, even in familiar IT networks. Control system security is tougher yet. Sophisticated cyber-attackers will make cyberattacks look like equipment malfunctions, there is minimal control system cyberforensics, and minimal cybersecurity training for the engineers to recognize potential cyber-related incidents.

The designers, operators, and maintainers of control system equipment are engineers and technicians, not computer experts. This culture and training gap between networking and engineering starts in the university setting, where engineering and computer security disciplines are often unconnected. This culture gap between the networking and engineering domains needs to change along with the governance model.

Most importantly, control systems “manipulate physics,” not data. This means compromised control systems can lead to catastrophic physical failures—and they have. Consequently, policymakers need to adequately address the unique aspects of control systems, but they have not. Additionally, the right expertise must be involved when developing cybersecurity policies that can affect control systems and society. Most control system cyberpolicyconferences, however, have minimal to no participation from control system experts.

In brief, cybersecurity policies and procedures need to address the unique aspects of control systems, which is why the International Society of Automation is developing the ISA-62443 series of standards. Other organizations with control systems expertise, such as the International Council on Systems Engineering, SAE International, and the British Institution of Engineering and Technology are also involved. Many other organizations are developing standards and guidelines that can affect control systems, but they may be inconsistent and not address the issues unique to control systems. These efforts must be better coordinated.

My recommendations:

• Governance changes need to mandate that engineering management and technical staff participate in control system cybersecurity along with CIO/CISO and IT/OT networking staff;
• Recognize that the most dangerous control system cyberattacks are those that manipulate physics. This requires engineering-domain expertise to identify and respond to these types of issues;
• Provide R&D funding for securing Level 0,1 devices and low-level sensor networks;
• Universities need to require introduction to computer science/cybersecurity for engineering students and computer science/computer security students to take an introductory course on engineering;
• Adequately address Level 0,1 devices in control system cybersecurity and process safety standards; and
• Coordinate control system cybersecurity standards and regulatory activities.

Cybersecurity policymakers must take into account the unique technical and policy issues associated with control systems. Current cybersecurity policies often have made control systems more susceptible to unintentional or malicious attacks because of the lack of input from engineering organizations. This culture and governance gap needs to change.

NSPE member Joseph M. Weiss, P.E., is the managing director of the ISA99 standards development committee on Industrial Automation and Control Systems Security.