Journal of Critical Infrastructure Policy
Consequently , this paper advocates a paradigm shift to work around the current lack of a robust capability to secure control system networks . In order to address the limitations in securing control legacy and “ next generation ” control systems and networks , new approaches for improving control system cyber security and the ability to widely deploy them are needed .
Keywords : Control systems , cyber security , Operational Technology , Presidential Executive Order 13920
Introduction
Control systems monitor and guide the operation of physical assets and processes , such as power systems , refineries , pipelines , water and wastewater , chemical plants , strategic industries , manufacturing , building controls , healthcare installations and other critical infrastructures . ( As can be seen from this list , control systems are used in more than just “ industrial ” applications .) Operational technology ( OT )/ control systems pertains to hardware and software that detect or cause changes through the direct monitoring and / or control of industrial , manufacturing , and commercial equipment , assets , processes and events . What makes control system cyber security different than IT cyber security are its overriding priorities of protecting life and physical property . This applies at the level of a small industrial or manufacturing plant as well as the control room of a utility providing electricity to multiple states .
From 1970s through the mid-1990s , control systems and their accompanying process sensors and other field devices such actuators , drives , and chemical analyzers were not connected to the outside world . They operated under the purview of engineers who designed , operated , and maintained these systems . The design and operational requirements emphasized performance and safety — not cyber security . Control systems and the “ dumb sensors ” that monitored equipment generated data only useful to engineers , operations , and maintenance . The advent of microprocessors in the late 1960s and Moore ’ s Law allowed the calculation and conversion capability to take the 0s and 1s of engineering data and to convert them to information usable by multiple parties outside the organization ’ s engineering division . It was the availability of this valuable data that led to demand outside of the engineering operation , and often outside the company . It enabled productivity improvements like “ just-in-time ” operation through data sharing among multiple organizational components . The Internet and modern networking technologies were vehicles for information dissemination and remote systems management .
From an engineering and control system perspective , cyber security was simply a new set of risks to be addressed in designing and implementing systems ,
112