Depsite IT, Industrial and Utility Security Still Weak
In a comprehensive interview with CNET News, security expert Joe Weiss -- an authority on cybersecurity in the industrial and utilities industries -- discusses the ongoing disconnect between IT security and the world of critical infrastructure. (A subject we've discussed before).
With formerly analog, "offline" industrial and utility systems becoming increasingly networked -- such as the "Smart Grid" -- IT solutions are often being applied for security. And, according to Weiss, this is part of the problem.
As reported on CNET,
The IT community views control systems as just another computer. A control system is two pieces--the human machine interface, the screens people see in the control room, which are now moving toward Windows, Unix and Linux. These systems also use TCP/IP. So people look at this and say "Aha! That's IT. I know this." What they don't see are all of the devices in the field that sense, measure, control,and monitor physical processes. These devices don't look like a computer and don't use Windows. They use either proprietary real-time operating systems systems or fully embedded systems. There is no security at this level even though this where you go "boom in the night." What IT sees is the engineer sitting in front of a Windows workstation and they say "I know that."
He also warns that the existing vulnerabilities within the utility and industrial control infrastructures are already being exploited:
There are people who are starting to believe control system cyber is real, but it is still a small fraction. All I have are facts and physics. I've got an incident database with over 170 control system cyber incidents worldwide. Unfortunately, most incidents are not public. CERT (Computer Emergency Response Teams) and other IT security monitoring organizations are not designed to collect information for control systems. There is an unfortunate tendency to simply want to declare victory. The Department of Energy and the Department of Homeland Security both have work ongoing in this field. But neither has connected the dots on incidents that have actually happened to identify relevant R&D.