Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
SUMMARY There are critical flaws in current cybersecurity approaches for all physical infrastructures including facilities. The physical infrastructure, including facilities, are monitored and controlled using process instrumentation and control systems. Unfortunately, most cybersecurity efforts are focused on information technology groups and Internet Protocol (IP) networks. In general, control systems have no cybersecurity, and some are intentionally built to be open for ease of remote access. In effect, control systems can be an open door into otherwise well-protected IP networks. They can also be hacked and their data signals compromised. This situation can leave entire facilities vulnerable to devastating attacks even if they have rigorous cybersecurity in place, as is illustrated by multiple recent cyber incidents that have left various corporations completely incapacitated. Cybersecurity for Level 0 and Level 1 devicesâ which include sensors, the Industrial Internet of Things (IIoT), and operate on a time scales ranging from milliseconds to secondsâis particularly underdeveloped. Addressing this gap requires fundamental changes in cybersecurity education, funding and implementation, and integration between departments that are currently operating separately, as well as a significant paradigm shift to monitoring process sensors in real time. Movement in these areas would result in improved cybersecurity, productivity, process safety, predictive maintenance, and resilience, while also breaking down cultural and organizational barriers. INTRODUCTION Control systems are designed, developed, operated, and maintained by control system and facility engineers. Control systems use engineering devices, information technology (IT) networks, and network devices that are generally maintained by an organizationâs IT department. While the IT community has considered cybersecurity to be important since the Morris Worm in 1988 (FBI undated) the control system community has been late to address cybersecurity of control systems. Control system devices typically have no built-in cybersecurity, authentication, or cyber logging capabilities, and may be open and vulnerable by design to allow for easy remote access. The IT and control system communities have different backgrounds and goals that occasionally conflict. For instance, the IT community is concerned first and foremost with protecting Internet Protocol networks and is evaluated based on its success in doing so. Despite the IT communityâs focus on cybersecurity, cyber threats are still a concern even with the newest IT cybersecurity technologies, as seen in the SolarWinds cyberattack, where a reputable and competent cybersecurity company was hacked (Jibilian and Canales 2021). Whereas IT personnel are primarily focused on concerns such as data confidentiality and integrity, as well as data and application availability, the control systems community is concerned with keeping facilities operating as they are supposed to, while providing for safe and reliable operations that do not impact productivity or operational objectives. These two foci are, at times, at odds. There have been incidents where an IT mindset, combined with lack of coordination with OT asset operators, has âbrickedâ 1 control systems. Examples of this include applying patches to IT systems that are 0F part of the control system, applying patches to OT systems that alter the functionality of the system unintentionally, and active network scanning within an OT network. Overall, there are significant culture gaps between the IT and control systems communities, despite many efforts to bring them together. This paper presents a paradigm change for control system cybersecurity to move from a primarily network-based approach to an engineering issue that will result in improved process reliability, process safety, predictive maintenance, improved productivity and product quality, resilience, and cybersecurity (NIST 2022b). Appendixes include the slides from presentations at an August 2021 workshop on this topic, a list of possible first steps to address control system security in an organization, and a glossary of terms. 1 âBrickingâ refers to rendering a device inoperativeâthat is, turning it into a âbrick.â Federal Facilities Council Control System Security White Paper 2
