Control System Cyber Security

Cyber security for Information Technology (IT)/Operational Technology (OT) is about the protection of Internet protocol (IP) networks from cyber attacks. Control system cyber security is about protecting physical processes from unintentional incidents and malicious attacks. Technologically, control system cyber security is different than IT cyber security because of the control system devices and their low‐level communication protocols. Yet IT and OT cyber security policy has been developed by the network security organization with minimal participation from the engineering organizations that “own” the hardware and control systems. Control system cyber security is real—there have been more than 1,250 actual incidents identified to date.1 But there currently is widespread lack of appropriate control system cyber forensics and cyber security training. With the availability of IT cyber security hardware, testing, and training, IT systems continue to be compromised, and control system cyber security is arguably 5‐10 years behind IT. In addition to the need to upgrade control system cyber security at the levels of individual organizations and critical infrastructures, this is a matter of national security import. It was widely reported that a large Chinese‐built electric transformer may have contained hardware backdoors, allowing access to transformer equipment control parameters. (Wall Street Journal, 2020). Attack vectors in the control system area resulted in Presidential Executive Order (EO) 13920 in May 2020.2 Consequently, this paper advocates a paradigm shift to work around the current lack of a robust capability to secure control system networks. In order to address the limitations in securing control legacy and “next generation” control systems and networks, new approaches for improving control system cyber security and the ability to widely deploy them are needed.