Episode 305 – Cyber security is more than just IT incidents

Joseph Weiss (www.controlglobal.com/unfettered) is an industry expert on control systems and electronic security of control systems, with more than 40 years of experience in the energy industry. Mr. Weiss spent more than 14 years at the Electric Power Research Institute (EPRI), the first 5 years managing the Nuclear Instrumentation and Diagnostics Program. He was responsible for developing many utility industry security primers and implementation guidelines.

In this podcast, he shares his insights on Industrial Control System risks, from an engineer’s perspective.

By highlighting differences in concepts (such as Purdue versus OSI, Zero trust versus 100 percent trust), he explains how a control engineer’s focus on actual devices (such as sensors) is critical to safely managing control system risks. For example, while data sent from devices could be manipulated by malicious actions such as hacking, there are other threats that are yet to of focus in cybersecurity discussions. These include deliberately compromised hardware at source and hardware “drift”. 

He urges the need for a paradigm shift from “cyber physical” to “physical cyber” in managing control system risks, where attention is to be paid to physical risks, supported by cyber risk management. This is what he calls “go back to the future”, to manage control system risks by engineers monitoring process anomalies, of which network is part.

Mr. Weiss serves as a member of numerous organizations related to control system security. He is also an invited speaker at many industry and vendor user group security conferences, has chaired numerous panel sessions on control system security, and is often quoted throughout the industry.

He has published over 80 papers on instrumentation, controls, and diagnostics including chapters on cyber security for Electric Power Substations Engineering and Securing Water and Wastewater Systems. He coauthored Cyber Security Policy Guidebook and authored Protecting Industrial Control Systems from Electronic Threats.

In February 2016, Mr. Weiss gave the keynote to the National Academy of Science, Engineering, and Medicine on control system cyber security.

Mr. Weiss has conducted SCADA, substation, nuclear and fossil plant control system, and water systems vulnerability and risk assessments and conducted short courses on control system security. The risk assessments include utility-scale solar farms and wind turbines. He has amassed a database of almost 12 million actual control system cyber incidents. He was a member of Transportation Safety Board Committee on Cyber Security for Mass Transit.

He was a subject matter expert to the International Atomic Energy Agency on nuclear plant control system cyber security.

Mr. Weiss has received numerous industry awards, including the EPRI Presidents Award (2002) and is an ISA Fellow, Managing Director of ISA Fossil Plant Standards, ISA Nuclear Plant Standards, ISA Industrial Automation and Control System Security (ISA99), a Ponemon Institute Fellow, and an IEEE Senior Member. He has been identified as a Smart Grid Pioneer by Smart Grid Today. He is a Voting Member of the TC65 TAG and a US Expert to TC65 WG10, Security for industrial process measurement and control – network and system security and IEC TC45A Nuclear Plant Cyber Security. Mr. Weiss was featured in Richard Clarke and RP Eddy’s book- Warning – Finding Cassandras to Stop Catastrophes. He has patents on instrumentation, control systems, and OT networks.

He is a registered professional engineer in the State of California, a Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC).

Interview with Jane Lo, Singapore Correspondent. Recorded 9th December 2021 US California 3pm/ 10th December 2021 Singapore 7am.


About the Provider

MySecurity Media
MySecurity Media has an all-media capability and continues to track the rapid advancement of security and technology to educate, entertain and engage with professionals around the world and across the security domain.