Protecting Industrial Control Systems from Electronic Threats

//Protecting Industrial Control Systems from Electronic Threats

Protecting Industrial Control Systems from Electronic Threats

[wpramazon asin=”1606501976″]

By | 2012-06-23T22:46:39+00:00 June 23rd, 2012|Phoenix Internet Marketing|3 Comments

About the Author:

3 Comments

  1. Tom R "Tom Russo" June 23, 2012 at 11:45 pm
    6 of 6 people found the following review helpful
    4.0 out of 5 stars
    A Crash course on Cyber Theats and Industrial Control Systems, March 15, 2011
    By 
    Tom R “Tom Russo” (Washington DC) –

    Amazon Verified Purchase(What’s this?)
    This review is from: Protecting Industrial Control Systems from Electronic Threats (Hardcover)

    I approached this review as someone very familiar with many aspects of energy regulation and having broad knowledge of IT security having recently passed my CISSP exam. I am not an Industrial Control Engineer, but am very concerned about cyber threats to our energy, water, chemcial and transportation infrastructure. That is where this book comes in handy. I rated this book 4 stars, because it provides a good grounding of the technical and policy issues and obstacles that have to be addressed to protect infrastructure. Note, this review is my personal opinion and does not reflect the views or opinions of my employer.

    The 166 pages of this text really amount to a crash course on industrial control systems and document why many typical IT security measures may fail to prevent cyber attacks. In fact the author goes to great lengths to explain how such out of the box security fixes may do more harm than good and bring the underlying hardware and software to a screeching halt. The real impacts of that happening could translate to blackouts and brownouts, pipeline explosions and a host of other inconveniences depending on the kind of system one is dealing with.

    Joe Weiss leads the reader slowly through the technical issues of industrial control systems and provides numerous examples of how cyber threats have plagued various industries. These summaries are detailed and valuable. I found myself thinking about what administrative and logical controls to apply.

    This book is ideal for any IT Security professional or regulators who have to grapple with protecting electric, natural gas, oil, water, chemical and transportation infrastructure from cyber attacks. Some of the materials are very technical and policy makers and regulators may find these distracting. However, one needs this grounding if only to appreciate that securing industrial controls of power, natural gas, water, etc. is complicated and can not be done without carefully examining the implications of policies, regulations, and technical fixes being applied to the IOCs. To do otherwise may only make matters worse.

    In fact, owners of these facilities would be wise to prevent IT Security experts from working on their industrial control facilities who don’t at least have an appreciation of their respective facilities. The reverse is true is also true. Industrial control engineers who don’t have a grounding in IT security can’t just simply apply IT fixes to their existing systems.

    This book can go a long way in filling those gaps in industry knowledge and gaps in existing regulations that purport to improve electric reliability and secure the Smart Grid. At a minimum, the book will at least make both IT Security staff and Industrial Control Engineers aware of each other and the wide variety of fixes that can help or make matters worse when applied.

    Key nuggets that I took away from the book are as follows:

    1. One can not casually apply security policies, technical controls and testing to industrial controls and then declare victory.
    2. Applying typical IT security fixes like patches, vulnerability scans, password lockouts can be worse then the typical cyber threats they intend to fix.
    3. Industrial control systems (IOC) are temperamental and are designed with almost one thing in mind— availability. As the author states, most IOCs must operate at 99.9999 percent (5 minutes a year of down time)
    4. Many catastrophic events associated with electrical, natural gas, water and sewage are due to cyber events that are intentional and unintentional.
    5. Compliance with government regulations may give a false sense to industry, government and the public that our infrastructure is secure from cyber threats.
    6. While multiple industries use similar industrial controls, there is little sharing of information regarding instances of cyber threats or how to deal with them.
    7. Information Security Professionals and Industrial Control Professionals don’t have a forum to talk with each other.

    The one question that lingers after reading this book is why haven’t manufacturers of industrial control systems responded with hardware and software to protect systems against cyber threats. Certainly there appears to be a market for and a need to protect industrial control systems from such attacks. The answer alluded to it that the focus is on compliance with government regulations at the expense of security. It may also be because the upgrades required are expensive and regulatory bodies are not willing to include these expenditures in customer rate bases (at least for power).

    Also the bar or need to protect industrial control systems has already been raised by the discovery of the Stuxnet worm. This worm attacked programmable logic controller which are a part of industrial control systems. While the book does not mention Stuxnet, it’s message is all the…

    Read more

    Help other customers find the most helpful reviews 

    Was this review helpful to you? Yes
    No

  2. Jennifer Bayuk June 24, 2012 at 12:19 am
    5 of 5 people found the following review helpful
    5.0 out of 5 stars
    Systemic security issues finally get attention, August 28, 2010
    Amazon Verified Purchase(What’s this?)
    This review is from: Protecting Industrial Control Systems from Electronic Threats (Hardcover)

    Industrial control systems (ICS) execute large-scale manufacturing and commodity product delivery processes. They run electronic power grids, nuclear power plants, water and sewage treatment plants, transportation signaling, and numerous other recognizably critical infrastructures. Joe Weiss walks the layman effortlessly through the world of ICS cyber-components: distributed control systems, programmable logic controllers, intelligent electronic devices, remote terminal units, and supervisory control and data acquisition (DCS, PLC, IED, RTU, and SCADA). Along the way, he points out the cybersecurity vulnerabilities inherent in the design and operation of these systems. With examples that can be directly traced to headline news, he describes how easy it is to disrupt these systems with simple cybersecurity hacks.

    Though it may seem odd to the reader that such obviously critical systems are so easily disrupted, the way that Weiss explains the evolution of ICS and the myths that surround attempts at ICS technical security evaluation, his story line makes sense. For example, a typical software program lives 3-5 years before a major architectural change. A typical industrial control system lives 15-20. That means that the technology components in an ICS are likely to be at least 10 years old, very outdated by technology standards, and correspondingly vulnerable to today’s sophisticated cyber-attacks. In addition, cybersecurity threats to ICS are not the same as cybersecurity threats to mainstream information technology. An ICS is typically much more sensitive to very small changes in electronic components. Hence, technology controls that are often proscribed for mainstream information assurance, like scanning and patching, can actually harm these systems more than they help them.

    Weiss does a great job of bringing attention to this serious national security issue. The book is as engaging as it is rare. It will benefit anyone who is interested in critical infrastructure protection or systems security engineering.

    Help other customers find the most helpful reviews 

    Was this review helpful to you? Yes
    No

  3. TucsonDon June 24, 2012 at 1:02 am
    2 of 2 people found the following review helpful
    5.0 out of 5 stars
    Important for EMS engineers, October 4, 2010
    By 

    This review is from: Protecting Industrial Control Systems from Electronic Threats (Hardcover)

    This book is a must read for all system engineers involved in critical infrastructure protection systems. Mr. Wiess’s grasp of the topic is insightful and his recommendations are founded in good engineering practices. Easy book to read with case studies fully developed making it excellent for student, engineer and management.

    Help other customers find the most helpful reviews 

    Was this review helpful to you? Yes
    No

Comments are closed.