After years of prodding and multiple UPS cyber incidents (https://www.controlglobal.com/blogs/unfettered/cyber-vulnerable-uninterruptible-power-supplies-upss-have-caused-physical-damage-to-data-centers), March 29, 2022, CISA has finally stepped up and issued guidance on some aspects of UPS cyber vulnerabilities – https://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf. This is certainly welcome progress. However, more work is still needed to address other aspects of insecure building and data center control systems: insecure process […]
Category: Critical Infrastructure
Cyber vulnerable Uninterruptible Power Supplies (UPSs) have caused physical damage to data centers
Cyber security of the control system devices in buildings and data centers has limited cyber security. These devices include process sensors, valves, actuators, and power supplies. Remotely changing Uninterruptible Power Supply (UPS) settings can wreak havoc on the equipment they are designed to support. There is a need to address UPS cyber security, including sensors, […]
It is not possible to meet Senate cyber disclosure requirements or CISA OT recommendations
I am preparing a presentation on the lack of cyber security in process sensors titled: “Shields Up and Good Cyber Hygiene Does Not Apply to Insecure Process Sensors” for a March 10, 2022 seminar. Process sensors have no inherent cyber security and yet have hardware backdoors directly to the Internet. The cyber security gap includes no […]
The OT network community cares about data; the engineering community cares about deaths
Dale Peterson has written and held podcasts on the lack of importance of Level 0,1 devices. Because Dale is so well known in the OT security community, I felt it was important to respond to what I take to be his mischaracterization of the Level 0,1 issues. The culture gap between engineering and networking can […]
Lack of applicability of NIST Special Publication 1800-32 to process sensors
As there is still confusion about the cyber security of process sensors and other Purdue Reference Model Level 0,1 field devices, I was asked to review NIST Special Publication (SP) 1800-32 “Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity” for applicability to legacy process sensors. The title of SP 1800-32 is […]
The OT paradigm is broken technically and culturally – it must be fixed
On January 26, 2022. it became evident that the OT paradigm is broken. December 29th, the article was published that more than 3,000 smart instruments in a petrochemical facility had no passwords, even by default. January 21st, SAE/MITRE held a meeting on hardware vulnerability disclosures where IOT and ICS were not addressed including for sensors […]
Cybergs sighted: course correction required for critical infrastructure protection
“Engineer Scott, please report to the bridge immediately” Frequently heard in some 1960’s era TV shows Are we being encouraged to implement the right measures for protecting the technologies used to monitor and control physical processes found in critical infrastructure or have we hit a cyberg[1]? This is the question I asked myself when first […]
Control System Cyber Incidents Are Real and Current Prevention and Mitigation Strategies Are Not Working
There have been almost 12 million control system cyber incidents globally across all sectors resulting in more than 1,500 deaths, and more than $90 Billion USD directly damage. Our article, “Control System Cyber Incidents Are Real—and Current Prevention and Mitigation Strategies Are Not Working”, has been published in the January issue of IEEE Computer magazine. […]
[UPDATE] IT v. OT v. ICS Paradigm Framework, Revision 3
Shown below is the most recent version of the IT v. OT v. ICS paradigm framework, along with examples of recent attacks (only) since (approximately) 2010. Please note that this updated paradigm framework is to provide a frame of reference insofar as to how IT and OT v. ICS complement, yet are uniquely different, from […]
Cross industry meeting to address the gap in process sensor cyber security and process safety
A virtual cross-industry meeting was held on January 5th, 2022 under the purview of IEEE, with universities and standards development and industry organizations representing a cross-section of critical infrastructures. Essentially, “a coalition of the willing”. As process sensors are used in all sectors, the intent of the meeting was to create outcomes and a way […]