From a nuclear meltdown to Y2K and 9/11, Joe Weiss paints a frightening picture of cyber vulnerabilities in things that can go BOOM in the night.
Joe Weiss is what you would call a trailblazer in the realm of critical infrastructure cybersecurity. During his 40+ years in industrial instrumentation controls and cybersecurity, he has set many of the standards we now aspire to achieve and written multiple books on cybersecurity for power stations, water stations, and data centers. He is the managing partner at Applied Control Solutions consultancy and director of the International Society for Automation.
Cybellum invited Joe to be a guest on the Left to Our Own Devices podcast where he enlightened us on why some of the most critical components holding together our civilization lack basic authentication protocols.
Centralizing data is crucial for detecting flaws and vulnerabilities
Educated as a nuclear engineer, Joe kicked off his career at GE’s Nuclear Energy Division. “In the 70’, 80’s, and early 90’s there was no talk of ‘cyber’. Everything I was doing focused on instrumentation, controls, and equipment diagnostics for safety and reliability,” said Joe.
He recounts a particular project in which he investigated the reason for cracking in the pump shafts of nuclear power plants. Realizing that the vibration monitoring sensors weren’t accurately reflecting what was happening in real time, he went to France, a country with over 50 nuclear plants, to find out more.
“Their R&D facility was collecting the vibration data from all of their plants for analysis. [Similar to today’s] fleet asset management. In the end, it turned out to be a manufacturing flaw…this was the original hardware supply chain.”
Forty years later, awareness of the need for organized data, SBOMs, and software supply chain management is finally emerging. Joe continued, “Isn’t it ironic that here we are today in 2022 and the things that can go ‘BOOM in the night’ have absolutely no cybersecurity?”
Y2K exposed the cyber risk in an increasingly connected industry
Around 1998 plant instrumentation was becoming progressively computerized and industrial operators were concerned about Y2K.
“Y2K was effectively a cyber issue. A law passed that made all of the directors and executives personally liable, and for the first time ever silos came down in different organizations because [they] didn’t want to be fined or go to jail”, said Weiss. “When Y2K ended, we started talking about X.509 [authentication] certificates for intrusion detection. There wasn’t a single power plant or substation anywhere that had any of that.”
Realizing this gap, Joe started the EPRI program for instrumentation and controls, which investigated if cyber was causing an incremental risk that industry hadn’t accounted for.
September 11th perpetuated the lack of security in industrial devices
In 2001, cybersecurity was already being addressed as a critical business issue for every major industry, from power plants to dog food and consumer goods. Because, as Joe puts it, “if the control systems don’t work, you can’t make anything.”
After the 9/11 attacks, industrial cybersecurity got ‘upgraded’ to a matter of national security.
Joe explained, “When that happened, cyber was yanked away from every engineering organization everywhere, and given to IT. But to IT, cyber was just the internet protocol networks and the IP native devices. So all of our engineering equipment–sensors, actuators, drives, analyzers, power, all of that–fell off the turnip truck.”
At some point a distinction was made between IT and OT, with OT originally referring to the control system network. IT was equated to cybersecurity, while OT was basically forgotten. According to Joe, this is why to this day there is no cybersecurity in most industrial components used to measure or control.
Product security develops serious blindspots when engineers are barred
Joe is adamantly in favor of the holistic Product Security lifecycle approach. However, so long as engineers are not included in the process from the get go, there will continue to be vulnerabilities. For Joe, it all boils down to culture, “There isn’t a single cybersecurity policy making organization that has, [even] as a member, a VP of engineering or operations in it… [They’re] headed by the CSOs or CIOs, neither of which have any of the actual equipment under their responsibility. It is impossible to secure any physical infrastructure if you don’t [include] the people who understand, design, and operate it… Until culture changes, it [will continue to] be impossible”
Unfortunately, the relevant engineers are often discouraged or barred from these groups. Joe admits that even amongst the ranks of the International Society of Automation (ISA 99), which sets the standards for control system cybersecurity, the majority of members turn out to be network professionals, not engineers.
An example of the effects of this are evident at the temporal scales addressed. According to Weiss, today’s security “Ignores what happens from when mother nature first starts something until it actually becomes a packet. And the other thing the cybersecurity world ignores through for whatever reason, is control and safety occur in milliseconds.” Without acknowledging all of this, there’s no way they can secure properly.
Cybersecurity standards don’t apply to modern nor legacy OT devices
“One of the ISA 62443 standards is called 4-2. [It] is the only component cybersecurity spec I know of for sensors, actuators, drives, controllers, et cetera,” says Joe.
The people who came up with this standard were IT professionals, not engineers, and that’s why it doesn’t apply well to legacy or modern devices. These are the devices running networks in medical facilities, air filtration units, elevators etc.
Upon discussing real-world use cases, Joe dove into examples of safety transmitters and sensors in LNG and petrochemical facilities: “Blow one of those up. You take out half of downtown.” According to Weiss, the latest transmitters on the market fail the 4-2 standard on 69 cybersecurity requirements out of 138, and a new set of sensors apparently requires absolutely no authentication to upload data to the cloud.
“Guess what,” prompted Joe, “there are no passwords. Not that they are 1, 2, 3, not that they are default, there are NO passwords, NO authentication. Everything that you think is necessary doesn’t exist. So unless you have the engineers who are designing equipment part of the Product Security lifecycle from the beginning – you’re not going to have security… and this includes vendors, too”
Top industry executives are responsible for mitigating an existential threat
Moody’s credit rating recently published their Cyber Heat Map which flags the electric, water, oil and gas industries all at high risk. For Joe, and arguably every citizen of the world, the vulnerabilities of sensors, actuators, and drives in critical infrastructure are an existential threat that is being totally ignored.
It’s up to top executives to take responsibility, include engineers in the cyber-standardization process, and ensure that those standards are implemented in even the smallest of switches.