Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
lead to physical and computer inspections to determine why there was a change in the electrical signals when the system appeared stable. The entire sequence could have been avoided. A paradigm change to monitoring sensor signals and conditions would have many advantages. The raw signals from process sensors would provide the ground truth about the physical operation of the process in question. A system to monitor these raw signals would detect anomalies regardless of the source rather than first âseeingâ the sensor inputs once they have entered the OT network. As a result, it would not be susceptible to either unintentional or intentional IT or OT network compromises, including ransomware attacks and vulnerabilities from patches in the manner of the SolarWinds hack. This would provide a level of sensor signal authentication that otherwise would not exist. Because such a system would also provide sensor health monitoring capability, maintenance intervals could be lengthened rather than relying on scheduled maintenance. Such sensor monitoring systems would also provide risk reduction and reduce the impacts of cyber incidents. EFFORTS TO ADDRESS CONTROL SYSTEM CYBERSECURITY The National Institute of Standards and Technology (NIST) has issued a Cybersecurity Framework (NIST undated). It is based on what NIST calls five core functionsâIdentify, Protect, Detect, Respond, and Recover. The lack of security in control systems and component devices makes achieving all phases of the NIST Cybersecurity Framework challenging, especially when attempting to conduct forensics acquisitions activities post-incident. NIST also issued Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5; NIST 2020) and is updating its draft Guide to Operational Technology (OT) Security (SP 800-82 Rev. 3; NIST 2022a) in April 2022. The Department of Energy Federal Energy Management Program has developed cybersecurity requirements for procurement, including planning factors and contract language (DOE undated). It remains to be seen to what extent these efforts apply to the IP networks and to what extent that address the security of control systems and Level 0 and 1 devices. CLOSING The critical flaw in facilities cybersecurity is the lack of cybersecurity, authentication, and cyber logging in process instrumentation. If users cannot trust incoming measurements, they have no cybersecurity, safety, or resilience. This gap and the related organizational culture differences between IT personnel and facility engineers needs to be addressed in order to improve the confidence in and safety, performance, and resilience of facility control systems. REFERENCES Association of State Dam Safety Officials. Undated. âCase Study: Taum Sauk Dam (Missouri, 2005): Description & Background.â Lessons Learned from Dam Incidents and Failures. https://damfailures.org/case-study/taum-sauk-dam-missouri-2005/. Accessed November 23, 2022. BACnet International. Undated. âBACnet Secure Connect Interoperability Acceleration Program.â https://www.bacnetinternational.org/page/secureconnect. Accessed March 3, 2022. Bae, Y., S. Bhattacharya, B. Cui, S. Lee, Y. Li, L. Zhang, P. Im, V. Adetola, D. Vrabie, M. Leach, and T. Kuruganti. 2021. âSensor Impacts on Building and HVAC Controls: A Critical Review for Building Energy Performance.â Advances in Applied Energy 4. https://doi.org/10.1016/j.adapen.2021.100068. Federal Facilities Council Control System Security White Paper 14
CISA (Cybersecurity and Infrastructure Security Agency). 2016. âCyber-Attack Against Ukrainian Critical Infrastructure.â ICS Alert (IR-ALERT-H-16-056-01). Last modified June 20, 2021. https://www.cisa.gov/uscert/ics/alerts/IR-ALERT-H-16-056-01. DHS (Department of Homeland Security) and DOS (Department of State). 2019. âA Guide to Critical Infrastructure Security and Resilience. Cybersecurity and Infrastructure Security Agency.â https://www.cisa.gov/sites/default/files/publications/Guide-Critical-InfrastructureSecurity- Resilience-110819-508v2.pdf. DOE (Department of Energy). Undated. "Cybersecurity Considerations for Procurement." Federal Management Program. https://www.energy/gov/eere/femp/cybersecurity-considerations- procurement. Accessed October 27, 2022. Eddy, R.P., and R.A. Clarke. 2017. Warnings: Finding Cassandras to Stop Catastrophes. New York: Harper Collins. FBI (Federal Bureau of Investigation). Undated. âMorris Worm.â https://www.fbi.gov/history/famous- cases/morris-worm. Accessed February 25, 2022. ISA (International Society of Automation). 2022a. âBuilding Automation.â https://www.isa.org/technical- topics/building-automation. Accessed March 4, 2022. ISA. 2022b. âISA111, Unified Automation for Buildings.â https://www.isa.org/standards- andpublications/isa-standards/isa-standards-committees/isa111. Accessed March 3, 2022. ISASecure. Undated. âIEC 62443 Conformance Certification.â https://isasecure.org/en-US/. Accessed March 3, 2022. Jibilian, I., and K. Canales. 2021. âThe US Is Readying Sanctions Against Russia over the SolarWinds Cyber Attack. Hereâs a Simple Explanation of How the Massive Hack Happened and Why Itâs Such a Big Deal.â Business Insider. https://www.businessinsider.com. Knapp, E., and J.T. Langill. 2015. Industrial Network Security. Second Edition. Elsevier. https://doi.org/10.1016/C2013-0-06836-3. Meserve, J. 2007. âSources: Staged Cyber Attack Reveals Vulnerability in Power Grid.â CNN. http://www.cnn.com/2007/US/09/26/power.at.risk/. Niemeyer, L. 2021. âAsk Me Anything with Lucian Niemeyer.â IIoT Worldâs ICS Cybersecurity Day. IIoT World. https://cybersecurity2021.iiotday.com. NIST (National Institute of Standards and Technology). 2020. âSecurity and Privacy Controls for Information Systems and Organizations.â NIST Special Publication 800-53, Revision 5. Joint Task Force. December. https://doi.org/10.6028/NIST.SP.800-53r5. NIST. 2022a. âGuide to Operational Technology (OT) Security.â NIST Special Publication 800-82r3 ipd. https://doi.org/10.6028/NIST.SP.800-82r3.ipd. NIST. 2022b. âProtecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing.â NIST Special Publication 1800-10. March. https://doi.org/10.6028/NIST.SP.1800-10. NIST. Undated. âCyber Security Framework.â https://www.nist.gov/cyberframework. Accessed October 26, 2022. Oladimeji, S., and S. Kerner. 2022. âSolarWinds Hack Explained: Everything You Need to Know.â https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to- know. Tucker, E. 2021. âMicrosoft Exchange Hack Caused by China, US and Allies Say.â Associated Press News. https://apnews.com/article/microsoft-exchange-hackbiden-china- d533f5361cbc3374fdea58d3fb059f35. Weiss, J. 2010. âThe Need for Interdisciplinary Programs for Cyber Security of Industrial Control Systems.â WorldComp 2010 Conference. Weiss, J. 2018. âData Centers Have Been Damaged and They Are Not Being Adequately Cyber Secured.â Unfettered Blog, CONTROL. September 17. https://www.controlglobal.com/home/blog/11305965/information-technology. Federal Facilities Council Control System Security White Paper 15
Weiss, J. 2020. âAttention Policymakers: Cybersecurity Is More than an IT Issue.â PE: The Magazine for Professional Engineers. Weiss, J. 2021a. âAre Your Buildings and Cloud Cyber Secure?â Unfettered Blog, CONTROL. April 28. https://www.controlglobal.com/home/blog/11292403/information-technology. Weiss, J. 2021b. âDo the Chinese âOwnâ Our Electric Grids and Other Infrastructures?â Unfettered Blog, CONTROL. August 27. https://www.controlglobal.com/home/blog/11290637/information- technology. Weiss, J. 2021c. âEngineering, Operations, and Maintenance Often Do Not View Cyber Security as Their Problem.â Unfettered Blog, CONTROL. March 28. https://www.controlglobal.com/home/blog/11292721/information-technology. Weiss, J. 2021d. âNetwork Security Often Does Not View Control System Devices and the Process as Their Problem.â Unfettered Blog, CONTROL. April 5. https://www.controlglobal.com/home/blog/11292655/information-technology. Weiss, J. 2022a. âLack of Applicability of NIST Special Publication 1800-32 to Process Sensors.â Unfettered Blog, CONTROL. February 9. https://www.controlglobal.com/home/blog/11288439/information-technology. Weiss, J. 2022b. âA Vulnerability Worse than Log4j (And It Can Blow Up Facilities and Shut Down the Grid).â Unfettered Blog, CONTROL. January 2. https://www.controlglobal.com/home/blog/11289053/information-technology. Weiss, J., and A. Samoiloff. 2019. âChanging the Paradigm of Control System Cyber Securityâ Monitoring Process Sensor Health.â 74th Annual Instrumentation and Automation Symposium for the Process Industries. https://sigasec.com/wp-content/uploads/2019/07/Changing-the- Paradigm-of-ControlSystem-Cyber-Security.pdf. Weiss, J., and B. Hunter. 2021. âThe SolarWinds Hack Can Directly Affect Control Systems.â Cybersecurity and Deterrence (blog). The Lawfare Institute. January 22. https://www.lawfareblog.com/solarwinds-hack-can-directly-affect-control-systems. Wolf, M. 2014. High-Performance Embedded Computing. Second Edition. Elsevier. https://doi.org/10.1016/C2012-0-07058-5. Federal Facilities Council Control System Security White Paper 16
