About our interview partner Joe Weiss:
Joe Weiss: PE, CISM, CRISC, ISA Fellow, IEEE Senior Member
Managing Director, ISA99
Managing Director, Applied Control Solutions, LLC
When it comes to protecting industrial control systems, you’re one of the leading experts. You’ve been working to make our world more secure for more than 40 years. You advise clients like the US government and nuclear power plants, and as managing director of the ISA99 committee you were instrumental in creating industry standards like the IEC 62443. What were other professional highlights for you?
In my career I’ve been fortunate enough to work with some of the smartest people on earth. I also had the opportunity to work on projects that benefit society – for example, by helping to get the lights back on and keep the water flowing.
How you do spend most of your time today?
In addition to advising clients as the managing director of Applied Control Solutions, I am studying some unique cybersecurity challenges that may still be unfamiliar to many people. I’m working on identifying Level 0 and 1 problems and documenting cyberattacks on control systems.
What’s one of the most difficult challenges you’ve faced in this area?
There are very few experts in cyber forensics for control systems. The challenge with control systems is to understand what happens when a system’s state has been disrupted – for example, certain valves close or relays open. Changes like these could be signs of a cyber incident. Learning how to recognize anomalies like these should be part of every control engineer’s training.
What current developments in ICS security do you find the most interesting?
I’m very interested in new sensor monitoring technologies that authenticate sensor signals and make it possible to identify specific individual devices.
You have a database of more than 1,300 documented OT incidents. Could you name a few examples that show how control system cybersecurity is relevant for SMEs?
Most incidents are relevant for them because no matter what their exact size, companies in this category use similar control devices – such as sensors, pumps, valves, and relays – with similar weak points in terms of cybersecurity: standard passwords, vulnerable protocols, and the like. One example that went public involved a hacked sewage system in Maroochy Shire, Australia. A small municipal water utility was attacked by system integrator with a grudge who remotely opened sewage valves. But examples abound covering nearly every industry and organizations of every size.
One of the recurring themes in your publications is the focus on sensors and other devices for controlling processes. Could you summarize what you see as the most important problems here?
These sensors and control units have no cybersecurity, authentication, or cyber logging capabilities. This means that the data they send cannot be trusted. Yet all OT monitoring systems assume that the data packets are uncompromised, authenticated, and correct. And as a result, entries in the network anomaly detection system are already untrustworthy.
Cybersecurity should be just as recognized as process security. That’s not the case today.
How does the situation impact the CEO or CIO of an SME?
A cyber attack on the control system can have extreme consequences. In the worst case, people can die as a result. Organizations have gone bankrupt due to such incidents. In addition, insurers and rating agencies have begun taking the cybersecurity level of company’s control systems into account when making their assessments.
What do you think about OT network monitoring or anomaly detection systems?
These systems are powerful, but they don’t address the need to detect process anomalies. The goal for the future should be to coordinate systems for detecting device (process) anomalies and network anomalies.
You need to be aware that the data from nearly any sensor is not necessarily trustworthy. Nearly all devices have a MAC address although there’s no cybersecurity in the field devices at all. Yet they are capable of Ethernet connections to the host computers and field calibrators.
Do you regularly hear any claims related to your line of work that you feel are inaccurate or half-truths?
The idea that air gaps take care of everything. People think that they have isolated their control system networks from the company networks and the Internet. But the truth is that you can’t completely isolate systems. Real air gaps are impossible to create, even for a small to medium-sized company. Many consultants claim the contrary – but you can never completely count on air gaps.
What’s the best way to create a shared culture across operations and IT? How do you persuade management to prioritize support for control system cybersecurity? How can you convince them to ensure that operations/engineering organizations are involved in cybersecurity governance for control systems?
If I had answers to these questions, everything would be fine. Unfortunately these questions are difficult ones and the process is ongoing. Management understands ransomware and IT cybersecurity only to the extent that these topics are covered in the media and discussed publicly. But many of them don’t think control system cyber weaknesses like Stuxnet are a problem. They argue “We don’t have centrifuges” or believe “a sovereign state wouldn’t attack me.” But some of the world’s leading cybersecurity providers were compromised by the SolarWinds hack – and industrial control systems lag five to ten years behind IT in terms of technical sophistication and the ability to detect an attack. What’s more, control systems aren’t developed to withstand intentional misuse.
What does all this mean for the future?
I think things will keep getting worse. The engineering world and the cybersecurity world often have different aims that may be mutually incompatible. The engineers think; “Cyber just means IT, and IT is just e-mail.” They don’t let cybersecurity affect their equipment setups. The network specialists think that the networks are the ultimate goal and the engineers’ setups don’t matter. Each side thinks that the other one doesn’t understand what they’re saying.
But wouldn’t you say that controls for Level 2 and above are better than nothing?
Well, yes and no. Of course protecting Levels 2 and above is important. But if you stop there, you have a false sense of security because you’ve ignored the cyber risks for Level 0 and Level 1 devices. Devices at these levels and even some at Level 2 have been specially developed to be safe and reliable. Cybersecurity was not a design requirement. Even triple redundancy is not necessarily a guarantee of security – it just makes the device highly reliable.
I also dislike the term “cyber-physical system.” It’s misleading. A pump is a physical system with cyber connectivity. A firewall is a cyber system.
If you could send an e-mail to every CIO in the world, what would the main message be?
A company’s job is to make things. CIOs must protect the equipment that their company needs to manufacture its products. Good engineering can close a lot of cybersecurity gaps, but engineers and network cybersecurity specialists still need to work together.
Thanks to Joe Weiss for his time!
In our day-to-day business, as your independent partner we analyze customer requirements towards cybersecurity and identify suitable providers of products and services. Therefore, we have collected a significant number of interesting provider and solution profiles. Of course, this does not include any recommendations for products or providers. Also be sure that we do not receive any advertisement payments for the interviews. If you are interested in an interview with us, please send a short message to firstname.lastname@example.org.
Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.