OSIsoft Conference: consultant says work needed to secure control systems

San Francisco, CA—Joe Weiss, executive consultant at Kema Inc. and a former controls engineer, talked about his concern that control system security is being overlooked during an April 20 presentation at the recent OSIsoft User Conference.

By Control Engineering Staff May 4, 2004

San Francisco, CA— As can be seen from our recent posting of the U.S. General Accounting Office’s report on control system security at Control Engineering ’s Resource Center

Joe Weiss, executive consultant at Kema Inc. and a former controls engineer, testified March 30 before the U.S. House Government Reform Committee on Technology, Information Policy, Intergovernmental Relations, and the Census about his concern that control system security is being overlooked while the government focuses on traditional IT business systems.

“There have been more than 40 cases of control system denial of service attacks since 2001,” but none of them have been recorded by reporting agencies formed to track such occurrences, Weiss reported during an April 20 presentation at the recent OSIsoft User Conference in San Francisco.

Weiss adds that the denial of service issue was created for control systems during the transition over the past several years from analog to digital systems. “This move opened up control systems more than was ever planned for,” due to interest in access by corporate engineers and other areas of the extended enterprise, he says. This requirement [to be more open to outside access] necessitates more bandwidth use, which can lead to denial of service.

In his presentation, Weiss stated that manufacturers need to address three main issues to increase the cyber-related security of their control systems:

  • The culture clash between IT and operations. IT has normally held responsibility and resources for security, but they don’t understand control systems. On the other hand, operations often doesn’t understand security, nor does it have the money needed to implement it. Furthermore, the CIO does not have accountability for control system security.

  • Control systems were never designed to be secure. They were designed to be useful and interoperable, leaving them wide open to attack.

  • Control system vendors are all headed in the same direction—to link the factory floor to the boardroom [further opening up control systems access], and most are teaming closely with Microsoft to accomplish this. Though Microsoft is no more vulnerable than most other operating systems, it is more of a target for attacks.

“The [industrial community] is all over the map [in its approach to security],” says Weiss. “There is little information sharing, but everyone wants to know where everyone else is at. Therefore, whatever you do will set a precedent because you’re likely to be the first to do it.”

Kema is holding its fourth annual conference on cyber security for SCADA and process control systems on August 16-18, 2004, in Idaho Falls, ID. Conference highlights will include:

  • A tour of the national SCADA test bed at the Idaho National Engineering and Environmental Laboratory;

  • Current status and updates of government and industry initiatives; and

  • A regulatory roundtable featuring representatives from the Department of Homeland Security, the legal and insurance industries, as well as the industrial community to discuss current and pending regulatory changes impacting the cyber security of process control systems.

For more information on the conference, visit www.kemaseminars.com . To read Control Engineering’s control system security coverage, click here: Get safe: Prepare for Security Intrusion .

Control Engineering Daily News Desk
David Greenfield, editorial director
dgreenfield@reedbusiness.com