Protecting Industrial Control Systems From Electronic Threats by Joseph Weiss

7 Word Review – Missing: a quality editor. Pass on this.

Joe Weiss’s, one of the pioneers in control system security, attempt at writing an overarching book on control system security is almost unreadable. It meanders, doesn’t provide information or opinions in a coherent way, and continues to fail at the end with a set of 40+ disjointed, bulleted recommendations. The recommendations range from “Determine what you really want to do, and do it” to block LAND attacks. It is not that all of these recommendations are wrong; they are just not presented in a useful manner with the appropriate background set up in earlier parts of the book.

This is disappointing because Joe has the necessary experience and knowledge, as well as a distinct point of view, to write a compelling book. I would have loved to read an organized explanation on his beyond security definition of cyber incidents, how they should be addressed today and what he feels we need to do in the future, but it is not in this book. The lack of solutions or description of the path forward, beyond the detailed recommendation for an ICS-CERT in Chapter 9, is glaring. Are we suppose to live with fragile systems from an electronic threat standpoint or what do we need to do as a community to improve the situation?

Ultimately I blame the editor or reviewers because they should have been pointing out rather obvious problems with most of the chapters.

If you do pick up this book, skip to the Selected Case Histories in Chapters 14 and 15. These 40 pages show what could have been, and the section on the 1998 Maroochy Wastewater Hack is the best writeup I’ve seen on this oft discussed event. These chapters are useful for those new to control system security whether they come from IT Security or Operations. I will quibble a bit with the Olympic Pipeline Company Cyber Security Issues section in Chapter 15. Joe points out numerous flaws in the cyber security program there, but there is no evidence that these had anything to do with the event. In fact I think this discussion weakens his premise that we need to be concerned with cyber incidents, not just cyber security incidents.

There are nuggets, but they pass without substantiation or comment. For example, in Chapter 1 – Background Joe writes:

In fact, on September 10, 2001, I held two panel sessions on ICS security at ISA Expo in Houston, Texas. Attendees also included auto parts manufacturers and even a dog food manufacturer. The next day the world changed forever. From that infamous date onward, the perception of ICS security changed from a business issue to a national security imperative. This had the unfortunate implication of shifting the onus from the end user to the government.

I wanted to understand why he thinks this was unfortunate. What would have happened if it was still just a business issue for the owner/operator? It seems to fly in the face of his feeling that we need a firm regulatory hand and would be better off in FISMA applied to all.

Another problem is the intended audience was not effectively considered. If it was a control system novice, this book would not have helped and others are better. If it is was an owner/operator there was little to help them move forward with cyber security. If the reader was experienced in control system security there is little new here in fact or thought.

Some basic details on the book. It is 320 pages long; half of that is the main body of the book. The second half is Appendices including Acronyms, Glossary, Comparison of Definitions, CSIS White Paper and a DCS RFP. The DCS RFP and Joe’s notes on the absence of well defined security requirements may be of interest to those who have not seen a control system RFP.

This is an admittedly rough review. So let me pull an example to show the problem: a very long and poorly structured opening paragraph from the 3-paragraph Chapter 2 – Definitions. Where was the editor?

Despite many efforts, there are still no singular definitions of many industrial control system (ICS) terms. Key terms such as “security” and even “supervisory control and data acquisition” (SCADA) carry different meanings to different organizations. For example, to a power system engineer, the term “security” can mean the interties (power flows) between utilities are open. Another very nebulous term is “electric grid”. From a cyber perspective, the electric grid should be the entire electric infrastructure, from electric generation to electric transmission to electric distribution, as they are electronically interconnected. However, most definitions of “electric grid,” particularly the Smart Grid, exclude central station generation. The North American Electrical Reliability Corporation (NERC) definition of “bulk electric system,” which is used for Critical Infrastructure Protection (CIP) standards, excludes electric distribution. Additionally, the latest version of the NERC CIP standards addresses the bulk electric system. However, there is no accepted single definition of the “bulk electric system.” For example, one utility may define 100 kV to be the threshold between transmission (bulk electric system) and distribution, while another utility defines 200 kV to be the threshold. There is even confusion between the terms “bulk electric system” and “bulk power system.” Certainly the more common usage of the term “energy security” refers to the availability of energy supplies and not cyber security. The term “SCADA” is also always not understood. Particularly for “cyber security,” the term “SCADA” can refer to the master station or the entire control loop from the master station to the final field devices. When I addressed this issue at the September 24, 2008, Association of California Water Agencies (ACWA) SCADA & IT Cyber Security Forum in San Jose, California, the IT (information technology) personnel took it to mean the entire system. Unfortunately, the same confusion has occurred with other key terms. Approximately a year earlier, in a security panel meeting, the physical security expert proceeded to define “intrusion detection systems” (IDSs) as cameras and card readers. Another definition confusion occurred on May 15, 2008, at an Infragard critical infrastructure meeting in San Francisco. The U.S. Federal Bureau of Investigation (FBI) started the meeting discussing “IEDs.” Unfortunately, the IEDs they were discussion were “improvised explosive devices,” which have nothing to do with cyber security. The FBI and physical security attendees were apparently unaware of the electric utility industry’s use of the term IED meaning “intelligent electronic devices.”

The wait continues for the definitive control system security book.