Journal of Critical Infrastructure Policy Volume 1, Number 2, Fall/Winter 2020 | Page 133

Control System Cyber Security
sponsible for control system equipment and understands how these systems work and interact . Many network security-induced control system cyber incidents have occurred because of inadequate coordination . Several examples are provided . 24 Moreover , in this author ’ s opinion , very critical cyber events such as the Aurora Generator Test have not been adequately addressed because engineering expertise has not been sufficiently involved . 25
Change will not happen unless government-run critical infrastructures and privately held infrastructure CEOs make smart determinations about the need for improved control system security across their operations — and incorporating that recognition in the corporate culture . When one considers that current defenses may be inadequate to avert a control system failure , issues of service disruption , inherent risk , severe accident occurrence , control compliance , facility damage and remediation and community relations can come into play . This risk has been identified by Moody ’ s Investor Services as a concern in several recent presentations and in response to Executive Order 13920 . 26
The cultural gap between the cyber security and engineering teams starts at the university level . The impact of this gap is reflected in the disparity of engineering systems vs cyber security product designs , to the extent that they diverge rather than converge . Understanding and mitigating control system attacks requires operators , researchers and technicians to have access to extensive theoretical and practical knowledge . Control system cyber security is an interdisciplinary field that should encompass computer science , networking , public policy , and engineering control system theory and applications . Unfortunately , today ’ s computer science curriculum typically does not address the unique aspects of control systems . At the same time , electrical engineering ’ s power system focus , and chemical engineering , mechanical engineering , nuclear engineering , and industrial engineering curricula , do not adequately address computer security . There is a need to formulate and implement interdisciplinary programs for control system cyber security both in the university setting as well as through industry-supported onsite and supplementary educational opportunities .
It is useful to conceptualize how control cyber security is situated relative to the IT security and the control systems engineering frames . As Figure 4 indicates , the vast majority of individuals working in this space are from the IT world , with a subset dedicated to IT security . Movement must occur at the intersection of IT security and control systems engineering in order to enable constructive dialogue ,
24 Industrial Control System Security Within NASA ’ S Critical and Supporting Infrastructure , February 8 , 2017 , NASA Report No . IG-17-011 , https :// oig . nasa . gov / audits / reports / FY17 / IG-17-011 . pdf
25 https :// www . controlglobal . com / blogs / unfettered / not-all-cyberattacks-are-malware-incidents-itdidnt-take-any-lines-of-code-to-blow-up-a-27-ton-generator
26 Moody ’ s Credit Outlook , “ US electric utilities will benefit from cybersecurity measures in executive order ,” May 6 , 2020 .
129