The validity of cybersecurity policies for control system environments

Control system cyber security is different than IT and requires an understanding of issues unique to control systems. It is time to discuss the validity of cybersecurity policies for control system environments. Cybersecurity policy has been based on preventing malicious attacks against IT data networks. IT cybersecurity has been a problem for more than 20 years. With all of the money and attention being paid to IT cybersecurity, it is still far from being a solved problem. Meanwhile control system cybersecurity is arguably more than 5-10 years behind IT security with much less management attention and associated funding. Control system cybersecurity is meant to keep lights on, water flowing, pipes from breaking, trains from crashing, etc. Some of the more important definitions used for control system cybersecurity are very different than the same terms used for IT. These include the definitions of endpoints, cyber incident, and Operational Technology-OT. Endpoints - For IT, endpoints are firewalls, routers, switches, cell phones, etc. For control systems, endpoints are Level 0,1 devices including process sensors, actuators, and drives.