In this episode of CHATTINN CYBER, Marc Schein interviews Joe Weiss, the Managing Partner at Applied Control Solutions LLC, Managing Director at ISA99 ICS Cyber Security Pioneer and keynote speaker. The discussion revolves around cybersecurity challenges in control systems, with a focus on those in critical infrastructure like nuclear plants. Joe was formerly a control system engineer who worked on instrumentation controls, primarily control and safety systems in nuclear plants.
Joe notes the different challenges in implementing effective cybersecurity measures in control systems. The first, he shares, is the cultural gap between engineers and IT personnel. He explains that these two groups have different mindsets and concerns, which makes it challenging to work together. For example, IT personnel might need to upgrade a computer or perform maintenance, but engineers might resist because taking a workstation down could cause the entire plant to shut down. Joe suggests that doughnut diplomacy, which involves getting engineers and IT personnel together to work out their differences over doughnuts and coffee, has not worked in bridging this cultural gap.
Another challenge is the technical gap in control systems. Joe explains that many control systems are older systems that have been upgraded from a very insecure base. Legacy devices lack basic security features like passwords, authentication, and encryption, which makes them highly vulnerable to cyberattacks. He provides an example of how some brand-new digital sensors installed at a petrochemical plant in Abu Dhabi did not have any passwords in their vendor spec sheets. Therefore, there was no way to send calibration data to the cloud securely.
Joe adds that control systems are very different from traditional IT systems, and security measures that work in one domain might not work in the other. For example, while data is the main focus in traditional IT systems, physics is the primary concern in control systems. Control systems are designed to manipulate physical processes, and the closer they get to the edge, the more efficient the processes become. This makes it difficult to implement traditional security measures like zero trust, which assumes that nothing can be trusted until proven otherwise.
Joe concludes the conversation by suggesting that insurance companies and credit rating agencies can play a significant role in driving improved cybersecurity in control systems. These organizations are highly risk-averse and can convince boards to take cybersecurity more seriously. He believes that control system cybersecurity is not going to be solved by the government and requires a concerted effort from all stakeholders involved.
“The general rule is that these big control systems are 1980s, 1990s technology that have been in a funny sense upgraded. But they’ve been starting with a very, very insecure base.”
“To a sensor controller in real time, this thing is happening in milliseconds, it’s 100% trust. What’s worse, these devices are built in backdoors, directly to the internet. So everything you’re trying to say not to do on the network side is exactly what’s in this most critical of all of our critical devices.”
[01:53] Joe’s journey into cybersecurity
[04:10] Everything is about data and data processing.
[05:52] The engineers and the network people don’t get along.
[09:04] Calibrating the sensors
[10:39] Zero trust is 100% trust
Connect with Joe: