Skip to main content

LOOKING FOR SOMETHING?

5 Questions with Joe Weiss

Written by Curtis Marquardt on . Posted in .

CURTIS MARQUARDT JR:
Thanks for joining us, Joe! Can you tell our readers more about yourself and your utility security background.

JOE WEISS:
I have spent more than 50 years in the utility industry. I started as a nuclear engineer focusing on instrumentation, controls and equipment diagnostics for nuclear safety and reliability. I spent almost 15 years at the Electric Power Research Institute (EPRI) managing multiple control systems programs. In 2000, I helped start the control system cybersecurity program for the electric utilities. 

I was the managing director of the international standards on control system cybersecurity for 12 years and have supported the National Institute of Standards and Technology (NIST), the U.S. Department of Energy (DOE), the Nuclear Regulatory Commission (NRC), the Federal Energy Regulatory Commission (FERC), the U.S. Department of Defense (DOD), the International Atomic Energy Agency (IAEA) and the National Academies, and have testified to five congressional committees on control system cybersecurity.

CURTIS MARQUARDT JR:
You’ve written on the topic of how operational technology (OT)-related events can be incorrectly identified as cyberattacks when they might be caused by something less sinister. Can you talk about an example of this?

JOE WEISS:
The 2021 Oldsmar Water Treatment Plant event is a great example. Allegedly, a supervisory control and data acquisition (SCADA) user inadvertently entered erroneous data for lye concentration into the SCADA system. Unfortunately, the SCADA system allegedly did not reject the input as being erroneous. 

Because the SCADA system used cyber-vulnerable desktop software, it was allegedly assumed to be and reported that the remote desktop software was hacked externally. While the description of what occurred did not make sense to some in the community, it still gave the OT network cybersecurity community—and the U.S. Environmental Protection Agency (EPA)—a “real” water control system cyberattack case. While there is a need for effective cybersecurity efforts to protect our water utilities, this instance was allegedly not the cybersecurity event many presumed had occurred initially and highlights some issues with our abilities to accurately report events.

CURTIS MARQUARDT JR:
From a hardware component perspective, what makes identifying the cause of events so difficult?

JOE WEISS:
Control system field devices such as process sensors, actuators and drives have no cybersecurity, authentication or cyber forensics. Process sensor signals are assumed to be uncompromised, authenticated and correct. Consequently, there is little cyber forensic data to reference when an incident or event occurs.

CURTIS MARQUARDT JR:
For utilities looking to improve their ability to better discover the cause of an event, what should they be doing?

JOE WEISS:
A cyber incident is electronic communication between systems or systems and operator displays that affects process sensor integrity, system availability or safety. Control system cyber incidents do not need to appear malicious, as sophisticated attackers can make cyberattacks appear to be equipment malfunctions. 

Consequently, control system cybersecurity training and forensics need to be based on impacts—not OT network vulnerabilities. Control system cyber incidents are more common than expected; my database consists of more than 18 million control system cyber incidents that have killed more than 30,000 people, with very few having been identified as being cyber-related. So, the bottom line is that more training is needed and it needs to include engineers and OT network security personnel.

CURTIS MARQUARDT JR:
Finally, tell folks how they can get in touch with you to discuss this topic more.

My email is joe.weiss@realtimeacs.com and my number is (408) 253-7934. My blog is at www.controlglobal.com/unfettered.