Joe Weiss* is an international authority on cybersecurity and control with more than 45 years of experience in control systems and cyber security of control systems and is the author of the book Protecting Industrial Control Systems from Electronic Threats.
On Joe’s blog entitled “Unfettered” on the website ControlGlobal.com, he recently asked a fundamental question: “Why would attackers hit defenses head-on when they could simply bypass them?” He then explained in detail how one of America’s MOST CRITICAL grid assets – Large Power Transformers – are vulnerable to Chinese hardware backdoors which compromise their integrity and potentially put them at grave risk of damage or destruction. With more than 200 of these Chinese-manufactured transformers in America’s grid, this could spell disaster.
Joe also discussed the need for Industrial Control System (ICS) cyber security to address vital issues like this. He stated, “The original intent of ICS cyber security was to keep lights on, water flowing, and maintain reliability and safety. Unfortunately, the intent of ICS cyber security has been changed by the OT network security community and it is no longer about preventing system impacts but about maintaining OT network integrity.”
Joe compares this sole focus on “network integrity” to the WWII French Maginot Line and explains how the exclusion of engineering assets (like sensors, actuators, drives, etc.) and engineering personnel in cybersecurity are two of the reasons why the Chinese have “breached it.”
Joe’s also asks some very important questions for those who operate and regulate the electric grid: questions about the supply chain, cyber security, the regulatory environment, information sharing, the Industry Transformer Pool, training, and governance.
For anyone charged with “keeping the lights on,” this article is a MUST READ:
*Joe Weiss has worked with numerous people, manufacturers, end-users, and consensus standards organizations, including being part of the original North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Working Group (before it became NERC CIPC). He helped start the control system cyber security program for the electric utilities at the Electric Power Research Institute (EPRI) and is currently the Managing Director of the International Society of Automation (ISA) S67 (Nuclear Plant Standards), ISA77 (Fossil Plant Standards), ISA99 (Control System Cyber Security) and various Institute of Electrical and Electronics Engineers (IEEE), International Electrotechnical Commission (IEC), NERC, and CIGRÉ (International Council on Large Electric System) committees. He has also supported the Federal Energy Regulatory Commission (FERC), the Nuclear Regulatory Commission (NRC), and the National Institute of Standards and Technology (NIST).