A Q&A with Joe Weiss of Applied Control Solutions
The security of industrial control systems is increasingly vulnerable to cyber-attack and the stakes for failure are extremely high, yet there’s little public understanding and media coverage about these very real risks. I talked to Joe Weiss of Applied Control Solutions about why industrial control systems should be the most important frontier in cyber security and what organizations can do to protect against this growing threat.
Please explain what industrial control systems are and how they are used.
We use the word “industrial” but these are really just control systems, used to monitor and control physical processes—it could be a power plant, refinery, pipeline, substation, or even a thermostat in your home. Every industry and sector worldwide uses control systems, from electricity and oil producers to manufacturing and transportation to the Department of Defense. If you’re making Girl Scout cookies, chances are you have a batch monitor that tells you what ingredients to use and how long to bake them—that’s a control system. What we run into is that people are fixated on the cyber security of servers and computers for billing purposes but not the actual factory equipment making the cookies. They think that “cyber security” by definition means traditional business IT computers, but that’s not the case.
What are the cyber threats facing infrastructure and companies with industrial control system dependencies?
To start with, there’s the notion in the cyber world that an incident needs to be malicious to be a problem. In the industrial control world it doesn’t have to be malicious or malevolent to create major damage. That’s because with control systems, it’s not just data that can be compromised but processes. When you manipulate physics bad things can happen. For example, in 2006, a broadcast storm (too much data on the network) shut down the Tennessee Valley Authority’s Browns Ferry Unit 3 nuclear power plant two 10,000 horsepower cooling pumps. The 2010 Pacific Gas & Electric natural gas pipeline rupture in San Bruno, CA that killed 8 started from Supervisory Control and Data Acquisition (SCADA) communication issues. As you can tell by these examples, control system cyber security is not like the cyber security you may be used to where the focus is data breach. Nevertheless, there are real consequences that have already happened that can be a threat to people’s lives, to the environment, and to the economic viability of companies, including the insurers.
there’s so much hype about connecting everyone and everything, but we need to take a breath and think about what it is we’re really doing here
What is it that makes these threats so acute?
Unlike with traditional cyber systems, there are minimal control system forensics for these events. With IT you know you’ve been hacked but with control systems it is different. You can’t hide a plant blowing up or lights shutting off you may very well not know whether cyber is involved. With each event potentially costing hundreds of millions of dollars, it’s very disturbing. The Internet of Things is making it much worse.
People don’t seem to realize that they really don’t want their local nuclear plant connected to the internet. From a marketing perspective there’s so much hype about connecting everyone and everything, but we need to take a breath and think about what it is we’re really doing here.
We don’t read much about these cases in the media. Are there other examples in which industrial control systems have been attacked, causing a cyber loss or liability?
I have a database of more than 500 control system cyber incidents. Probably the most famous now is Stuxnet where the United States and Israel ostensibly destroyed a bunch of centrifuges in an Iranian nuclear facility, which slowed down Iran’s march toward nuclear weaponry. Whether it’s military or ideological or someone who is just disgruntled, or even an unintentional act, there are many ways control system cyber incidents can occur.
What are some common threads you see in these cases?
You could call them front doors or back doors but there are many ways to get into these systems and it’s not even always through the internet. Stuxnet was achieved with a thumb drive. We have a plethora of remote access capabilities including dial-up modems, wireless, microwave radio, satellite communications, etc. From what I have seen, the common thread is the lack of adequate senior management commitment to secure industrial control systems.
What can a company do proactively to mitigate this exposure?
The first thing is developing awareness to understand the issues. The next is training specifically developed for control systems. Finally, organizations need to segment their networks and isolate the sensitive areas while preparing an extensive backup plan in case something does happen.
In Summary…
I want to thank Joe Weiss for his unique insights into industrial control systems. It appears that this type of ‘cyber risk’ is very underestimated yet mishaps can result in massive catastrophic physical world repercussions that Joe has indicated. Many folks may not be aware that ICS control the USA’s manufacturing plants, power generation, fabrication, water treatment/distribution, oil and gas pipelines, electrical power transmission/distribution. ICS operates our airports, railroads including mass transit, and ships. ICS monitor and control heating, ventilation, air conditioning systems (HVAC), etc. Unfortunately air-gaps that previously isolated industrial control systems no longer exist.