During a recent ThreatConnect Podcast, Joe Weiss, Managing Partner at Applied Control Solutions gave his insights and thoughts on Control Systems and Cybersecurity issues facing our nation’s critical infrastructures. Joe is an international authority on control system cybersecurity and is currently a member of the International Society of Automation Standards Committee ISA99, Industrial Automation and Control System Security.
There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety. Dan Verton, host of the ThreatConnect Podcast, explores some of these issues and solutions with Joe below.
Dan Verton: Joe, for 40 years, nobody has really challenged any of your basic statements about the security posture of our critical infrastructure. Has anything fundamentally changed in your view or improved in terms of the security posture of our critical systems?
Joe Weiss: It’s actually gotten worse. First of all, I happen to be the managing director of ISA99. ISA is the International Society of Automation. ISA99 is [the standard for\ control system cybersecurity. And I’m on a working group of ISA84, which is process safety. One of the things we just finished looking at was the state-of-the-art pressure sensor. And what we were trying to do is understand what security was inherent in these basic devices. And the use case was a liquified natural gas facility, and this is the wired safety sensor, pressure sensor, basically to keep it from blowing up and taking out all of downtown Boston with it. And what we found was, there were 139 individual cybersecurity requirements in the component spec.
This state-of-the-art pressure transmitter, used everywhere, failed 69 of 139 cybersecurity requirements. This was a study done two or three months ago, and these devices have been completely excluded from any of the TSA guidance, from any of the NERC, North American Electric Reliability Corporation guidance, from basically any of the DHS guidance. What we’ve done is focused just on the networks and ignored all of the actual devices that can blow things up. So in a nutshell, have we gotten better with the networks? Yes. With the sensors and actuators and drives, we’ve gone backward.
Dan Verton: So this is clearly what we learned from the Colonial Pipeline incident, right? Is that business systems are also important to critical infrastructure operationally, just as the control system environment. But you mentioned the guidance and where you think the guidance is lacking. Where should the federal government, working with the owners and operators of these infrastructures, start in terms of fundamentally beginning to reduce cyber risk?
Joe Weiss: It’s very simple. Critical infrastructure, I’m talking: power, water, chemicals, pipelines, manufacturing, you name it, those are engineering systems. Who knows about engineering systems? The engineers. Who has been excluded from the world of cybersecurity? The engineers. And this is a problem across the board. In the industry, the end-users, the equipment vendors, the regulators, you name it. It doesn’t help when you have all of this guidance for critical infrastructure security being entirely predicated on a network. These aren’t networks. If you want to keep water or power, manufacturing, and everything else up, you better have engineering experts, and we don’t.
Dan Verton: When we talk about vulnerabilities, you have some serious concerns about the technologies, the infrastructures that are out there today in terms of their specific vulnerabilities. Talk a little bit about what your major concerns are.
Joe Weiss: Culture, I believe, is probably 75% of how you’re going to secure things. And part of our problem has been lack of training and the training hasn’t been of the network people, it’s been of the engineers. I have amassed a database over time and I have almost 12 million control system cyber incidents. There’s been over 1,500 deaths and well over $90 billion in direct damage. And part of the issue is we don’t have cyber logging or cyber training for the engineers. So when things start going wrong, they don’t even know when to go to the network people to say, have you seen similar things?
We can make a huge improvement if we can start training both sides. Part of the issue is that the network people are looking for network anomalies, the engineering people are looking for process anomalies. And a lot of those process anomalies do not show up as network anomalies, which is where the training comes in.
And that’s not just with end-users, that’s also with the vendors, the system integrators across the board. And the last point is because there are so few publicly identified cases. Part of the problem we have is senior management doesn’t believe this is real, because again when you hear about Colonial Pipeline, that wasn’t a pipeline bursting. That was essentially in a sense, a network problem, same thing with JBS. You’re not hearing about things like the Olympic Pipeline rupture or the San Bruno natural gas pipeline rupture, or the DC metro train crash. Things that were engineering-based and also killed people. We need to get to that.
Dan Verton: Do you think that the Biden Executive Order will assist in the changes needed, or do you feel it doesn’t have enough teeth to effect true change?
Joe Weiss: My concern, and remember I’m coming at this as an engineer, is when I mentioned one of our biggest problems is culture, and engineers not being part of the problem. The Executive Order didn’t once mention the words; “distributed control system,” “programmable logic controller,” or any other control system device. So to me, the Executive Order was fine for generic software issues, but the Executive Order was way too silent [on control systems], and propagates this siloing effect about networks – that’s my biggest concern. The other thing, which also goes to TSA, is because of a lack of cybersecurity, authentication, and even cyber logging in our control system devices, you can’t meet the requirements, either in the Executive Order, or in the TSA guidance. You don’t have the ability to know whether incidents were cyber-related or not, which is why training and everything else is going to be so important. So that was my, if you will, engineering view of the Executive Order.
Hear more from Joe Weiss and two other world-class experts who spoke with us about cyber risk management and critical infrastructure in our most recent ThreatConnect Podcast episode – “Mitigating Cyber Risk In Critical Infrastructure”. Listen to it here!