Since 2015, the International Council on Systems Engineering’s (INCOSE) Critical Infrastructure Protection and Recovery (CIPR) working group has been committed to defending critical infrastructure against manmade and natural disruptive events. The group serves as a forum for the application, development and dissemination of systems engineering principles, practices and solutions in this area.
Now, in the midst of the global COVID-19 pandemic, that mission is more important than ever.
At the CIPR working group’s monthly call on April 9, control systems cybersecurity expert Joseph M. Weiss gave a presentation on the gap between information technology, operational technology and engineering. Weiss delved into the engineering aspects of control system cybersecurity that are often ignored to the detriment of defending critical infrastructure.
“It is clear the gap between engineering and network security, whether IT or OT, is growing. This gap was extremely evident in discussions within ISA99, INCOSE, and others. To engineers, safety is sacrosanct and must be protected at all costs,” Weiss wrote in a blog post for Control Global. “That was not the view of some of the cyber IT/OT security practitioners. On 4/7/20, a very smart IT security expert now working in OT for a major control system supplier stated the following in control system cyber security discussions about safety and security: ‘The definition difference is probably a matter of our different backgrounds in security…I just don’t believe safety belongs as a top-level addition to the CIA triad – if anything it’s already included in Integrity if you assert that OT by default includes people as an ‘asset’ of an IACS.’ As a nuclear engineer, who grew up with nuclear safety, this cavalier attitude toward safety is completely unacceptable and should be for anyone working in control system cyber security.”
Control systems are an essential component of defending critical infrastructure. They are used to monitor, control, and safely shutdown physical processes in commercial, industrial, manufacturing, medical, and defense applications.
These systems affect the reliability, availability, safety, and resilience of an operation and as such, cyber incidents involving control systems can have devastating consequences ranging from denial-of-service to equipment damage. According to Weiss, there have already been more than 1,200 actual control system cyber incidents resulting in more than 1,500 deaths and more than $70 billion in direct damage.
In 2017, the United States National Aeronautics and Space Administration released a report looking at industrial systems security within NASA’s critical and supporting infrastructure. The report demonstrates several examples of IT/OT system malfunctions.
According to the report, “[a] large-scale engineering oven lost ability to monitor and regulate temperature when a connected computer was rebooted after application of a security patch update intended for standard IT systems. The reboot caused the control software to stop running, which resulted in the oven temperature rising and a fire that destroyed spacecraft hardware inside the oven. The reboot also impeded alarm activation, leaving the fire undetected for 3.5 hours before it was discovered by an employee.”
In another instance, “[v]ulnerability scanning used to identify software flaws caused equipment to fail and loss of communication with an earth science spacecraft during an orbital pass. As a result, the pass was rendered unusable and data could not be collected until the next orbital pass.”
“These are just a very small set of examples of the danger of having people without adequate knowledge of the systems or system interactions involved with these critical systems,” Weiss writes. “I can cite many more that either caused denial-of-service or even damaged control systems.”
Weiss’ presentation centered around the lack of coordination between IT/OT and engineering in defending critical infrastructure. There has been a lack of training for control system engineers to recognize potential cyber-related events. Additionally, plant engineering and IT/OT staff often don’t work together because IT and OT largely differs from engineering which is more closely related to physical processes.
While cybersecurity is often focused on protecting data, in industrial control systems, system security is the priority. Similarly, IT and ICS endpoints differ. IT is concerned with devices like laptops while ICS is focused on process sensors, analyzers, actuators, motor controls, and related instrumentation.
According to Weiss, this disconnected has been further illustrated by the feedback he received after his presentation.
“The lack of coordination between IT/OT and engineering can be seen from a comment from one of the attendees,” Weiss wrote. “ In his note asking for the slides, a representative from a major manufacturer stated: ‘Your discussion was something that I’d like to be able to bring both the Plant Engineering and IT folks in the same auditorium and lock the doors for a while. Having just spent my Saturday recovering plant systems from a switch security firmware update change underneath our plant network just indicated again how far we are away from where we need to be.’”
“The full requirements to undertake and maintain simple-to-complex systems are not comprehensibly understood by most, probably all, in different ways and on various levels,” wrote another participant. “My colleague and I have been fighting this battle for some time, only to achieve even more frustration.”
The call brought together participants from INCOSE’s Transportation Working Group, the Power & Energy Working Group, the Object-Oriented Software Engineering Methodology Working Group, Smart Cities initiative, and Resilient Hospital Model initiative. It also included members from the International Society of Automation, Institute of Electrical and Electronics Engineers IEEE, SAE International, InfraGard’s National Disaster Resilience Council, domestic and international utilities, manufacturing companies, universities, and other public and private organizations.
“With the large attendance, it was evident there was an interest in learning about the critical, but generally not addressed, issues of the engineering aspects of control system cyber security,” Weiss writes. “There was also a common thread that control system cyber security issues are more than just IT/OT convergence. From the broad participation in the call, it was also evident there is a need for these different standards and engineering organizations to collaborate and the need for coordination among these groups. To date, it is unclear who will step up to do the coordination.”
Weiss is the author of Protecting Industrial Control Systems from Electronic Threats, which provides insight on defending critical infrastructure from electronic threats. He also serves as managing director of ISA Control System Cyber Security and is an ISA Fellow.