Cybersecurity INSIGHTS

Isolating Control Systems

Joe Weiss is the managing partner at Applied Control Systems, providing strategic consulting to optimize and secure control systems used in industry, manufacturing, transportation, building controls and defense. Weiss is a keynote speaker in operational technology, ICS and SCADA and a widely known industry expert on all things control systems and electronic security of control systems. He has been at this for quite some time, with more than 40 years of experience in industrial instrumentation controls and automation. This includes 14 years at EPRI in San Mateo, where he led a variety of programs including cybersecurity for digital control systems programs. Weiss has served as taskforce lead for the review of information security impacts on IEEE standards, is a director of the ISA Standards and Practices Board, has provided oral and written testimony to three house subcommittees, one Senate committee and a formal statement for the record to another house committee. 

Weiss is an invited speaker at many industries and vendor user groups, security conferences and has chaired numerous panel sessions on control system security. He’s frequently quoted throughout the industry, so if you want the ultimate knowledge base about almost any question relative to industrial controls, look no further. Weiss has published over 80 papers on instrument controls, diagnostics, COVID-19 and more. He’s a registered professional engineer in the state of California, a certified information security manager and certified in risk and information systems control.

Some of the major challenges in securing industrial environments have been initial design and ongoing maintenance. From Steve King’s point of view, the initial design challenges assume that networks were safe due to physical separation from the enterprise, no connectivity to the outside world and the assumption that attackers lacked the specific knowledge to carry out a security desk. We’re living in a different world now, but Weiss weighs in on what he recommends we do to harden our OT networks today:

What is important is not only to “firewall” – often I use the term firewall in quotes because it doesn’t have to be just a conventional firewall. But to isolate not only the control system networks from the IT networks, there is also a need to isolate the OT networks from each other depending on safety significance. So one of the reasons you have what are called data diodes, is because you don’t want to have communications going from “a more secure or higher level security zone.” It’s okay to go from there to the lower level one, but you don’t want a lower level zone going to a higher level.

In this episode of Cybersecurity Unplugged, Weiss also discusses:

  • What control systems consist of;
  • The two-fold problem between IT and the CISO;
  • Differences in IT in a control system world. 

Get In Touch!

Leave your details and we will get back to you.