While no one would argue that network security isn’t important, it’s also important that the basic process sensor data that cross the OT network not be overlooked. Process sensors are necessary input for reliability, availability, safety, predictive maintenance, product quality, and cyber security. Yet process sensors have no cyber security and are connected to the […]
Category: Unfettered
Utility industry continues to deny that control system cyber incidents are occurring
Control system cyber incidents are real and impactful (more than 500 control system cyber incidents in the electric industry). To date, most of these incidents have not been identified as “cyber” because of lack of identified intent. When reporting and remediating a control system cyber incident, the intent isn’t as important as the impact of […]
Control system cyber incidents in electric and other sectors are frequent, often impactful, but not reported
The electric and nuclear industries have required “incident” disclosure for more than 20 years. The other infrastructure sectors either have no incident disclosure requirements or only recently started such as TSA for pipelines and EPA for water. There is a significant gap between the electric industry’s reported control system cyber incidents and actual control system […]
You can’t protect the unprotectable – our critical infrastructures
Locking the door doesn’t work where there is no door. Unintentional cyber accidents or malicious cyberattacks can cause kinetic damage and there are no cyber forensics, training, or cyber security requirements for addressing these incidents. The TSA Pipeline cyber security requirements (and corresponding requirements for other infrastructure sectors) need to be more control system-focused. That […]
Comments to the CISA Cybersecurity Advisory Committee on Process Sensor Cyber Insecurity
The DHS CISA Cybersecurity Advisory Committee held a conference call Thursday, March 31, 2022, that discussed current CISA Cybersecurity Advisory Committee activities and the Government’s ongoing cybersecurity initiatives. The meeting was for the Committee members to hear updates and discuss progress as it relates to the CISA Cybersecurity Advisory Committee’s six subcommittees: (1) Transforming the […]
CISA finally issues guidance on cyber issues with Uninterruptible Power Supplies (UPSs)
After years of prodding and multiple UPS cyber incidents (https://www.controlglobal.com/blogs/unfettered/cyber-vulnerable-uninterruptible-power-supplies-upss-have-caused-physical-damage-to-data-centers), March 29, 2022, CISA has finally stepped up and issued guidance on some aspects of UPS cyber vulnerabilities – https://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf. This is certainly welcome progress. However, more work is still needed to address other aspects of insecure building and data center control systems: insecure process […]
Cyber vulnerable Uninterruptible Power Supplies (UPSs) have caused physical damage to data centers
Cyber security of the control system devices in buildings and data centers has limited cyber security. These devices include process sensors, valves, actuators, and power supplies. Remotely changing Uninterruptible Power Supply (UPS) settings can wreak havoc on the equipment they are designed to support. There is a need to address UPS cyber security, including sensors, […]
It is not possible to meet Senate cyber disclosure requirements or CISA OT recommendations
I am preparing a presentation on the lack of cyber security in process sensors titled: “Shields Up and Good Cyber Hygiene Does Not Apply to Insecure Process Sensors” for a March 10, 2022 seminar. Process sensors have no inherent cyber security and yet have hardware backdoors directly to the Internet. The cyber security gap includes no […]
The OT network community cares about data; the engineering community cares about deaths
Dale Peterson has written and held podcasts on the lack of importance of Level 0,1 devices. Because Dale is so well known in the OT security community, I felt it was important to respond to what I take to be his mischaracterization of the Level 0,1 issues. The culture gap between engineering and networking can […]
Lack of applicability of NIST Special Publication 1800-32 to process sensors
As there is still confusion about the cyber security of process sensors and other Purdue Reference Model Level 0,1 field devices, I was asked to review NIST Special Publication (SP) 1800-32 “Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity” for applicability to legacy process sensors. The title of SP 1800-32 is […]