Control Systems — The Achilles Heel of the Cyber-Physical Miracle

John Organek, Director of program Planning and Operational architecture, EIS Council

June 25, 2024

Control systems are vital enablers of critical infrastructure that have transformed human-operated physical systems into cyber-physical systems. They have, and are expected to continue to pervade, virtually every aspect of our lives, from managing trains to opening doors to brewing our coffee. The infrastructures that we have become dependent on these controls. 

Whether the hazard is intentional or accidental, controls are very vulnerable to disruption, or worse yet, to being turned against the systems they support. The consequences can be grave to critical infrastructures and to the people served.   

Misplaced Focus

Cyber incident management

While such a gap in understanding is hard to imagine, control systems are often overlooked, their workings poorly understood, or their role mischaracterized by cybersecurity professionals, who frequently lump them into the ‘operational technology’ category, or simply OT. They then treat them using the same protocols and methods used for IT systems, focusing on data protection or networks, rather than on the operations they support.

They don’t dig deeper into incidents to determine whether a disruption was caused accidentally or intentionally, and thus they overlook the possibility of a cyber-attack when an infrastructure experiences a failure. Joe Weiss has pointed out such neglect to identify root causes, in one of many blogs, “…there have been at least two cyber-related Colonial Pipeline pipe ruptures though neither was identified as being cyber-related. Ironically, neither would be covered by the TSA cyber security requirements stemming from the Colonial Pipeline shutdown.” He further points out that “Identifying control system incidents as being cyber-related is difficult. It is complicated when government and industry organizations rush to judgment by stating that incidents weren’t cyberattacks without their knowing the actual cause.”  Cyber defense planning and analysis must deal with the unique characteristics of control systems uniquely and possible cyber-disruptions should not be dismissed out of hand.

Misplaced Expertise
Cyber Security
While they share many cyber characteristics across infrastructures, control systems also maintain operating characteristics proprietary to the physical medium they control, e.g., electricity, water, gas, and vehicles. Effectively addressing the cyber security of these physical systems requires proprietary expertise involving that medium. Unfortunately, cyber security is carried out by cyber subject matter experts having little understanding of the physical operations, and operations engineers typically cannot ‘be bothered’ with cyber security details—a dangerous ‘impedance mismatch’. Most often, the Chief Information Security Officer (CISO) does not understand the ‘physics’, sees the threat as a network or IT issue, and prescribes an IT solution and the Chief Engineer delegates authority and responsibility to ‘the cyber people’.  Utility leadership should foster teamwork that synergizes the expertise of both parties.

So, What do We Do?

Control systems play a vital, but continually misunderstood or deprecated security role in the cyber-physical infrastructures we depend on. We must reexamine how we treat controls, not as OT or IT, but as a unique subsystem with unique operational characteristics. We must also foster greater collaboration between those focused on the cyber and the engineers focused on the physical aspects of the same system. Finally, we must take greater care and responsibility to ensure that infrastructure disruptions are accurately classified so that effective resilience measures can be ‘prescribed.’

We are all connected. We are all vulnerable.
Collaboration is our strength.

Create Impact with us:

Join our membership and
contribution programs:

Get involved >>

Participate in our
upcoming events:

Events >>

Schedule a call with
our experts:

Consult >>

Our upcoming events:


The Role of Redundancy in Critical Infrastructure Protection

The Role of Redundancy in Critical Infrastructure Protection In today’s interconnected world, the reliability and security of critical infrastructure are more important than ever. From power grids to water supply systems, these essential services underpin the functioning of modern society. Ensuring their continuous operation, especially during emergencies, is paramount. This is where redundancy plays a […]

Learn more

The Ripple Effect: How Critical Infrastructure Vulnerabilities and Failures Stall Business Operations

Critical infrastructure vulnerabilities serve as the initial weak links that can trigger significant disruptions, arising from natural disasters or deliberate attacks by bad actors. These vulnerabilities, which may include outdated systems, insufficient maintenance, lack of robust safeguards against extreme weather, outdated security protocols, or unpatched software, create a fragile foundation for essential services like electricity, […]

Learn more

The Psychological Impact of Infrastructure Failures on Communities

Infrastructure is crucial for any community, serving as the backbone that supports our daily lives. It includes everything from the roads and bridges we travel on, to the water supply and electricity that power our homes. These systems are essential for society to function properly. But when infrastructure failures occur, the fallout can reach far […]

Learn more