Critical infrastructure cyber security took a prominent position at the RSA Cyber Security Conference with the issuance of NSM22. NSM22 states: “It is diverse and complex, and includes distributed networks, varied organizational structures, operating models, interdependent systems, and governance constructs.” There was no mention of hardware. Yet the critical infrastructure is dependent on hardware – pumps, motors, valves, relays, transformers, turbines, robots, etc. As a result, there were no discussions of hardware control system cyber issues such as hardware backdoors in Chinese electric power transformers, port cranes, inverters, and circuit breakers; possible control logic compromises with the Iranian Unitronics’ PLC attacks; Russian cyberattacks against US critical infrastructures; the Aurora vulnerability which manipulates physics not data; data center shutdowns from process sensors and chiller motor issues; and medical device control system cyber incidents that have injured hundreds. Maybe next year RSA will have more of a focus on critical infrastructure cyber security.
