Cyber security and control systems
- July 13, 2011
- 84 views
Voice in the wilderness? Gadfly? Self-described "persona non grata in the electric utility industry"? Underappreciated sage?
Joe Weiss, principal at Applied Control Solutions, LLC, may be all these things and more. (For background, Weiss initiated the control system cyber security program at the Electric Power Research Institute in 2000; wrote the book, Protecting Industrial Control Systems from Electronic Threats, has testified to the U.S. Senate on the topic and is consulted by branches of the U.S. Department of Defense, foreign governments and various industrial and utility sectors.)
Yesterday we featured Peter Mozloom, vice president for cyber solutions at Modus Operandi, Inc., a defense contractor, who sees a disconnect between the expertise of IT professionals and operational security at electric utilities. (See "Cyber Expertise Lacking?")
Weiss contacted me after the column appeared and seemed to connect the dots that Mozloom left unconnected. ("Your article missed the point," Weiss wrote. "What is missing is control system cyber security expertise.")
I'd heard Weiss speak at Grid ComForum last year and what he told me seemed to make sense. But it's difficult to separate Weiss' argument from his zeal, which I define as the far side of passion. So here I offer his views on electric utility security and invite readers to weigh in on his points.
Weiss' expertise is in ICS—industrial control systems. Essentially, his position is that cyber security generally focuses on information technology, or IT, and ignores the threat to industrial control systems, which are embedded throughout the electric grid, from generation to transmission to distribution. Stuxnet—the software program that attacked the nuclear centrifuges in Natanz, Iran, last year—was a proof point for the vulnerability of industrial control systems, not IT cyber security, according to Weiss. (And, indeed, according to Annabelle Lee, a technical executive with the Electric Power Research Institute, and others. See "Security, Part II: Control Systems and IT Systems.")
According to Weiss, IT professionals don't understand ICS. Operations personnel may understand ICS, but not IT and its cyber security implications. That's one disconnect. Another: responsibility for the integrity of ICS at electric utilities tends to be splintered among various roles, in contrast to the chief information officer's clear mandate for IT cyber security, he said. Further, IT cyber incidents leave a forensics trail that can be reconstructed after the fact, while ICS incidents leave only physical evidence without a clear forensics trail.
Historically, the overriding concerns of those developing industrial control systems was their usefulness, reliability, safety and cost, Weiss said. And the control system engineer's traditional role is to "keep things running," he added. Making ICSs remotely controlled via Ethernet over local area networks and their microprocessors updatable by this method led to their present vulnerabilities, he argued.
"Flexibility and security pull in opposite directions," Weiss told me.
We paused to review the meaning of "cyber" and its security implications.
"'Cyber' means an electronic communication between systems that can affect confidentiality, integrity or availability," Weiss said. "In the IT world, you're generally worried about your computers' availability to work. In the physical world, I'm worried about the main cooling pump at a nuclear plant.
"This is a critical area," Weiss concluded. "IT problems don't kill people. Control system problems have killed people."
The reason the electric industry (and other industries) doesn't have greater visibility into ICS incidents is that reporting requirements don't exist (with the exception of nuclear power generation), he said.
"Control systems have minimal cyber forensic capabilities, which is why you don't hear about control system cyber incidents," Weiss told me. "In the U.S. to date, [however], there have already been four control system cyber incidents that have killed people, three major cyber-related outages, two nuclear plants shut down from full power and a power plant turned into a yo-yo for three hours."
That said, Weiss acknowledged that the vast majority of some 200 documented ICS incidents worldwide so far have been the result of unintended consequences. Intentional, malicious acts, mostly by disgruntled employees, haven't been very effective.
"Ironically, unintentional acts have been more impactful," he said.
For those seeking to protect ICSs and the assets they control, the difference between intentional, malicious acts and unintended consequences may be academic, he said. The vulnerabilities that need addressing remain the same.
The solution, according to Weiss, is education, training and elevating the importance of ICS vulnerabilities—his bailiwick. Self-promotion or a zealous champion of keeping the lights on and his fellow citizens safe?
Intelligent Utility Daily