Control System Cyber Security
sponsible for control system equipment and understands how these systems work and interact . Many network security-induced control system cyber incidents have occurred because of inadequate coordination . Several examples are provided . 24 Moreover , in this author ’ s opinion , very critical cyber events such as the Aurora Generator Test have not been adequately addressed because engineering expertise has not been sufficiently involved . 25
Change will not happen unless government-run critical infrastructures and privately held infrastructure CEOs make smart determinations about the need for improved control system security across their operations — and incorporating that recognition in the corporate culture . When one considers that current defenses may be inadequate to avert a control system failure , issues of service disruption , inherent risk , severe accident occurrence , control compliance , facility damage and remediation and community relations can come into play . This risk has been identified by Moody ’ s Investor Services as a concern in several recent presentations and in response to Executive Order 13920 . 26
The cultural gap between the cyber security and engineering teams starts at the university level . The impact of this gap is reflected in the disparity of engineering systems vs cyber security product designs , to the extent that they diverge rather than converge . Understanding and mitigating control system attacks requires operators , researchers and technicians to have access to extensive theoretical and practical knowledge . Control system cyber security is an interdisciplinary field that should encompass computer science , networking , public policy , and engineering control system theory and applications . Unfortunately , today ’ s computer science curriculum typically does not address the unique aspects of control systems . At the same time , electrical engineering ’ s power system focus , and chemical engineering , mechanical engineering , nuclear engineering , and industrial engineering curricula , do not adequately address computer security . There is a need to formulate and implement interdisciplinary programs for control system cyber security both in the university setting as well as through industry-supported onsite and supplementary educational opportunities .
It is useful to conceptualize how control cyber security is situated relative to the IT security and the control systems engineering frames . As Figure 4 indicates , the vast majority of individuals working in this space are from the IT world , with a subset dedicated to IT security . Movement must occur at the intersection of IT security and control systems engineering in order to enable constructive dialogue ,
26 Moody ’ s Credit Outlook , “ US electric utilities will benefit from cybersecurity measures in executive order ,” May 6 , 2020 .
129