Hall of Fame – Industrial Cybersecurity Grandmaster Joe Weiss
In the third part of Industrial Cyber’s Hall of Fame series of in-depth interviews with professionals from the industrial cybersecurity industry, we are proud to highlight the contribution of well-known expert on industrial control cybersecurity, Joe Weiss.
With over 40 years of experience in the industry and managing partner of Applied Control Solutions, LLC, a consulting firm that specializes in industrial control systems (ICS) and cybersecurity, Weiss has been actively involved in the development of various security standards for critical infrastructure protection.
One of Weiss’ main areas of expertise is in assessing and mitigating cyber threats to critical infrastructure systems, such as power plants, chemical facilities, and water treatment plants. He advocates for a holistic approach to ICS security that emphasizes a combination of technical measures, organizational changes, and cultural awareness. Weiss believes that while security technologies and practices remain essential, organizations should focus on building a security culture, which involves instilling a security mindset in all personnel.
Often considered hard-hitting, honest, and visionary, Weiss is also a strong advocate for improved regulation and standards for ICS cybersecurity, arguing that many current regulations are outdated and inadequate for today’s threats. Overall, he is widely respected as a leading voice in the field of ICS cybersecurity and has made significant contributions to raising awareness of the importance of protecting critical infrastructure systems. Weiss is a strong advocate for the development and implementation of updated and enhanced security standards to ensure the safety and resiliency of critical infrastructure systems.
Weiss is also the author of the book ‘Protecting Industrial Control Systems from Electronic Threats,’ which is considered a seminal work on the subject. In addition, he has written numerous articles and papers on ICS security and is a frequent speaker at conferences and other industry events. He is an ISA Fellow, managing director of ISA99, a Ponemon Institute fellow, and an IEEE senior member.
Weiss is a respected thought leader in industrial control cybersecurity, whose expertise and contribution have played a critical role in advancing the field of ICS security.
Industrial Cyber: What led to Joe Weiss becoming an ‘expert on control system cybersecurity’? How did it all begin? Were you always inclined towards control device cybersecurity, or did you end there as that’s where you saw that unaddressed challenges existed within the organizational framework?
Joe Weiss: I am a nuclear engineer. My first job was with GE’s Nuclear Power Division in San Jose, CA working in instrumentation, control systems, nuclear plant simulators, process computers, and equipment forensics. This was in the early 1970s. There were no PCs, laptops, tablets, the Internet, or concerns about cyber security. There was also no remote access – computer programs were on punch cards that you physically delivered.
Early on, I tended to focus on issues that weren’t fully addressed such as flow-induced vibration affecting the in-core instrumentation and development of new instrumentation. When I arrived at the Electric Power Research Institute (EPRI) in the late 1980s, I was managing the EPRI Nuclear Instrumentation and Diagnostic Program.
My focus was to help reduce maintenance costs which included sensor health monitoring and equipment diagnostics. This is where I first began recognizing some of the issues with process instrumentation including process and vibration monitoring sensors. I then managed the EPRI Fossil Plant Instrumentation and Control (I&C) Program where we developed advanced control system algorithms, and I started the EPRI I&C Center at the TVA Kingston Steam Plant to document the benefits of advanced instrumentation and control system algorithms.
In 1998, we started the EPRI Y2K Embedded Systems Program. All parts of the utility organizations participated because officers and directors were personally liable. On January 2, 2000, the Y2K program ended, and we started the electric industry control system cyber security program assuming that the personnel silos that were down during U2K would stay down. We were wrong.
IC: You have worked on integrating instrumentation, controls, and automation with the cybersecurity of industrial control systems across multiple industries. How did you achieve this? Was it a seamless transition or did you face bottlenecks along the way?
JW: When we started the control system cyber program in 2000, it was an engineering issue because ‘you can’t make a product if the control systems don’t work.’ Following 9/11, a major transition occurred when cyber security became national security and was moved to IT (now OT). This was where the culture issues between networking and engineering started and continue to this day.
IC: You are an author, patent holder, ISA Fellow, Ponemon Institute Fellow, and an IEEE Senior Member. You have also been the Managing Director of the ISA99 Committee. Which of these roles has been the most challenging, and brought out the best in you?
JW: All experiences shape you and each organization has people coming from different perspectives. Cybersecurity affects all these organizations in a somewhat different way. My various experiences – instrumentation, control systems, equipment diagnostics, and now cyber security all connected, though it didn’t seem so at the time. It has been fascinating to see and experience these differences and similarities.
IC: How do you manage to map and align across these verticals – Managing Director ISA67 Nuclear Plant Standards, Managing Director ISA77 Fossil Plant Standards, and Managing Director ISA99 Automation and Control Systems Security?
JW: All involve control systems.
IC: Of all your titles, which one is most dear to you? And, why?
JW: Grandpa. It’s easy to understand when you see the smiles on my grandkid’s faces.
IC: You have been influential to several executives in the industrial cybersecurity sector. Who have been the strongest influences in your career?
JW: I have had numerous mentors throughout my career. From cyber security, it would be several people – Mike Assante, Jeff Dagle from the Pacific Northwest National Laboratory, Gary Siefert from the Idaho National Laboratory, Ron Ross from NIST, and Marshall Abrams from MITRE.
IC: What challenges have you faced in your career and how did you overcome them? How difficult has it been to get your message across to the industry and government stakeholders?
JW: It is a work in progress. From cyber security, the biggest challenge is to get people to recognize that control system (OT) cyber security is more than just network cyber security and to get the control system engineers to work with the network security experts and vice versa. Unfortunately, this culture gap is alive and well – in fact, growing. A follow-on is that most in the network security community view cybersecurity as only cyberattacks and only against IP networks. There have been more than 17 million control system cyber incidents that have directly killed more than 34,000. Most were not identified as being cyber-related. As a result, I have been developing a module for ISA on what is a control system cyber incident.
IC: As a visionary in the control system cybersecurity space, how have control systems and electronic security evolved over the last 40 years?
JW: When we first started addressing digital control systems and remote access, we knew they would provide significant productivity improvements and reduce staff. Very few people thought cyber security would be an issue for control systems. Because of the culture gap between network security and engineering, instead of them evolving symbiotically, they are evolving independently and that is not good.
IC: What is the current state of the Industrial Automation & Control Systems (IACS) that are integrated into critical infrastructures and industrial production establishments? What do you see as the key issues that currently affect the industrial cybersecurity and supply chain security sectors?
JW: Control system (OT) networks have had significant cyber security improvements. Training and education for securing control system networks have also significantly improved. Software supply chain is gaining considerable focus though the hardware supply chain is not. However, cyber security for control system field devices, such process sensors and actuators are significantly lagging as are the requisite training.
IC: What are the challenges that you expect the industrial control and process automation systems to face, with the deployment of advanced analytics, machine learning, and artificial intelligence?
JW: There is an old saying – ‘garbage in-garbage out.’ Advanced analytics, machine learning, and AI can provide significant improvements. However, there are two issues. The first is unless the advanced technologies are used at the process sensor layer to assure secure, authenticated, and accurate measurements, the advanced technologies will be based on untrusted data.
We demonstrated that by monitoring at the Level 0 layer, you can improve reliability, predictive maintenance, productivity, and cyber security, even minimizing the impact of ransomware on control systems. Unfortunately, few organizations are doing that. The second issue is identifying ‘adversarial AI.’ That is using these advanced technologies against the control systems, which can be very destructive.
IC: What most concerns/excites you about the future of industrial cybersecurity? What are the most significant dangers and challenges that target the sector in your opinion, and how equipped is the industry to deal with the current threat landscape?
JW: We need to develop the next generation of engineers that recognize the need for cyber security. We also need to develop the next generation of network security personnel who recognize there is a difference between networking and control systems. Without appropriate training and cooperation, control systems cannot be secured.
IC: From your vast experience, what guidance would you provide a young professional entering the industrial cybersecurity vertical, amid widespread threats and attacks, and frequent government policies and directives?
JW: Control system (OT) cyber security is a growing field. For those in engineering, take an introductory course on cyber security and meet with the cyber security leads to understanding their perspectives. For those in cyber security, take an introductory course in engineering and meet with senior engineering people to understand their perspectives.
IC: When you’re not working in industrial cybersecurity, what do you do? What helps you relax?
JW: Besides the family, until COVID hit, I was an active competitive racquetball player. Since COVID, I have been riding my bicycle since the gyms were closed. Since December 2019, I have had almost 10,000 miles on my bicycle. In September, I will be riding again in the Multiple Sclerosis (MS) Waves to Wine bike ride raising money to fight MS. If people are interested in making a donation, I can provide further information.
Highlights Section:
1. Years of Experience in the industrial cybersecurity space – 23 years, started January 2000.
2. Major Companies worked for GE, EPRI, KEMA, Applied Control Solutions, LLC since 2007
3. Vertical Focus: Started in nuclear power and electric. However, sensors and equipment forensics apply to all verticals.
4. Joe’s message to our readers: Instrumentation and control systems are the building blocks of every industrial or manufacturing organization. Doing good engineering and using common sense can improve performance, safety, and cyber security. Making our infrastructures safer and more reliable provides the satisfaction of helping humanity. I also felt this way when I was involved in Y2K and spent the evening of Y2K at the utility industry command center monitoring impacts worldwide.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
