Governance & Risk Management , Operational Technology (OT)

The Core of the Problem With OT Control System Security

Joe Weiss on the Need for CISOs to Know the Devices and Systems They Must Secure
The Core of the Problem With OT Control System Security
Joe Weiss, managing partner, Applied Control Systems

The initial design of control systems and their ongoing maintenance requirements present challenges for securing such systems. One problem is that the protocols that act as a hub for all the devices on most industrial control systems are very outdated - especially Modbus Serial - and they were developed before there was any concept of cybersecurity. We're now seeing a huge increase in the number of reconnaissance operations around Modbus in OT, energy and manufacturing.

Joe Weiss, managing partner at Applied Control Systems, says that the issue is larger than any one problem. He says the CISO is responsible for securing control systems, but the CISO doesn't have "any knowledge of what the actual devices and systems are that they're trying to secure. The people who do have that knowledge," Weiss says, "are not under the purview of the CISO. They’re under the purview of ... the vice president of the actual operational organization, and they're not part of this cybersecurity policymaking."

"That is the core of the problem," Weiss says. "Everything else emanates from there. When you don't understand how that programmable logic controller works, or how, for example, a boiler is working, there's no way in the world you can adequately secure it, period."

In this episode of "Cybersecurity Unplugged," Weiss also discusses:

  • The need for segmentation on two fronts: isolating the OT networks from the IT networks and isolating the individual OT networks from each other based on sensitivity or priority.
  • How patching control systems, which have many modifications, can be a problem;
  • The importance of issuing guidance for engineers because field devices have no cybersecurity experience and "all the guidance coming out of Washington is only IP network-related."

Weiss is the managing partner at Applied Control Systems, providing strategic consulting to optimize and secure control systems used in industry, manufacturing, transportation, building controls and defense. He has more than 40 years of experience in industrial instrumentation controls and automation, including 14 years at EPRI in San Mateo, where he led a variety of programs including cybersecurity for digital control systems programs. Weiss is a director of the ISA Standards and Practices Board. He has served as task force lead for the review of information security impacts on IEEE standards and has provided oral and written testimony to House and Senate committees and subcommittees. Weiss has published over 80 papers on topics including instrument controls, diagnostics and COVID-19.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.