Commitment to address control-system cybersecurity inadequate

By Chad Hemenway on February 25, 2015

Industrial control systems are the computing systems that monitor and control physical processes in electric substations, power plants of all types, refineries, pipelines, water and waste water systems, chemical plants, manufacturing facilities, transportation, building control systems, and even medical systems. 

What do you see as the greatest cyber risks industrial companies face today?

JoeWeiss

Joe Weiss, managing partner, Applied Control Solutions

In my opinion, the most important risk that most companies currently face is the lack of adequate understanding and commitment to address control system cybersecurity by senior management. Control-system cybersecurity is about cybersecuring physical processes to “keep lights on and water flowing” not identity theft or industrial espionage. Without senior management commitment, it will be very difficult to adequately secure control systems.

Moreover, securing control systems is different than securing business IT systems. A major threat to the reliability and safety of control systems are IT organizations using inappropriate technologies, policies, and testing to “secure” control systems. Another issue that impacts the cybersecurity of control systems is the compliance mindset. The North American electric and U.S. nuclear industries are focused on compliance (checking the box) rather than adequately securing the electric systems and nuclear plants against many known cyber threats. 

What are the emerging risk issues to industrial control systems?

In my opinion, there are several levels of risk. The first is unintentional cyber incidents. Unintentional cyber incidents have caused very significant impacts including destruction of large equipment, environmental discharges, and even deaths. Because unintentional cyber incidents aren’t malicious targeted attacks, the impacts are generally localized to the specific facility. With the movement to the “Internet of Things” and installing cyber-sensitive technologies, there may be more and more unintentional control system cyber incidents that may not be localized.

Malicious, though untargeted cyber attacks include “viruses and worms” that can affect control systems when control systems are connected to corporate networks, the Internet, or third party networks. This is where the concept of the “Internet of Things” can be such a cyber threat enabler.

In my opinion, the most frightening risks are nation-states such as Iran or North Korea deciding to cyber attack our infrastructures – and they have the capability to do that. 

Is the insurance industry doing enough to adequately address control system cyber risks?

In my opinion, the answer is no. I have found securing control systems often is not well understood by many insurance companies. There are two aspects of securing control systems that can affect insurance companies. If understood, insuring secure control systems can be a new revenue stream (the positive). On the other hand, insuring companies with inadequately secured control systems can be lead to major insurance company liabilities on the order of hundreds of millions of dollars (the negative). Accepting control system cyber compliance rather than actual security will not lessen the potential liabilities to the insurance industry. 

What keeps you awake at night?

What keeps me awake is the general lack of understanding about control-system cybersecurity by decision makers and the consequent inappropriate decisions made that can affect the cyber security and reliability of control systems. Much of our critical industrial infrastructures are effectively open to hackers. The damage can be devastating to our country and economy. 

In your opinion, what is the single most important control system cyber risk development in the past 12 months?

In my opinion, the single most important control system cyber risk are hackers and nation-states realizing our critical infrastructures can be cyber targets and the accompanying lack of appropriate attention by senior management to these threats.

***

Joe Weiss is on the Advisory Board for Advisen’s Cyber Risk Insights Conference in San Francisco on March 3. He will also be part of a panel, Operational Risk and the Cyber Threat.

Applied Control Solutions provides thought leadership to industry and government in the area of control system cybersecurity and optimized control system performance. Joe Weiss has provided support to domestic and international utilities and other industrial companies. He is supporting the NRC on the Regulatory Guide for nuclear plant cyber security. Weiss chairs the annual Control System Cyber Security Workshop and is an invited speaker to numerous cybersecurity and critical infrastructure events. He has co-authored a chapter on cyber security for Electric Power Substations Engineering as well as numerous articles.

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].