Control Systems — The Achilles Heel of the Cyber-Physical Miracle

John Organek, Director of program Planning and Operational architecture, EIS Council

June 25, 2024

Control systems are vital enablers of critical infrastructure that have transformed human-operated physical systems into cyber-physical systems. They have, and are expected to continue to pervade, virtually every aspect of our lives, from managing trains to opening doors to brewing our coffee. The infrastructures that we have become dependent on these controls. 

Whether the hazard is intentional or accidental, controls are very vulnerable to disruption, or worse yet, to being turned against the systems they support. The consequences can be grave to critical infrastructures and to the people served.   

Misplaced Focus

While such a gap in understanding is hard to imagine, control systems are often overlooked, their workings poorly understood, or their role mischaracterized by cybersecurity professionals, who frequently lump them into the ‘operational technology’ category, or simply OT. They then treat them using the same protocols and methods used for IT systems, focusing on data protection or networks, rather than on the operations they support.

They don’t dig deeper into incidents to determine whether a disruption was caused accidentally or intentionally, and thus they overlook the possibility of a cyber-attack when an infrastructure experiences a failure. Joe Weiss has pointed out such neglect to identify root causes, in one of many blogs, “…there have been at least two cyber-related Colonial Pipeline pipe ruptures though neither was identified as being cyber-related. Ironically, neither would be covered by the TSA cyber security requirements stemming from the Colonial Pipeline shutdown.” He further points out that “Identifying control system incidents as being cyber-related is difficult. It is complicated when government and industry organizations rush to judgment by stating that incidents weren’t cyberattacks without their knowing the actual cause.”  Cyber defense planning and analysis must deal with the unique characteristics of control systems uniquely and possible cyber-disruptions should not be dismissed out of hand.

Misplaced Expertise
While they share many cyber characteristics across infrastructures, control systems also maintain operating characteristics proprietary to the physical medium they control, e.g., electricity, water, gas, and vehicles. Effectively addressing the cyber security of these physical systems requires proprietary expertise involving that medium. Unfortunately, cyber security is carried out by cyber subject matter experts having little understanding of the physical operations, and operations engineers typically cannot ‘be bothered’ with cyber security details—a dangerous ‘impedance mismatch’. Most often, the Chief Information Security Officer (CISO) does not understand the ‘physics’, sees the threat as a network or IT issue, and prescribes an IT solution and the Chief Engineer delegates authority and responsibility to ‘the cyber people’.  Utility leadership should foster teamwork that synergizes the expertise of both parties.

So, What do We Do?

Control systems play a vital, but continually misunderstood or deprecated security role in the cyber-physical infrastructures we depend on. We must reexamine how we treat controls, not as OT or IT, but as a unique subsystem with unique operational characteristics. We must also foster greater collaboration between those focused on the cyber and the engineers focused on the physical aspects of the same system. Finally, we must take greater care and responsibility to ensure that infrastructure disruptions are accurately classified so that effective resilience measures can be ‘prescribed.’

We are all connected. We are all vulnerable.
Collaboration is our strength.