Joe Weiss provides thought leadership to industry and government in the area of control system cyber security and optimized control system performance. He has provided support to domestic
and international utilities and other industrial companies. He prepared white papers on actual control system cyber incidents supporting NIST SP 800-53. He is supporting the NRC on the Regulatory Guide for nuclear plant cyber security. Mr. Weiss chairs the annual Control System Cyber Security Workshop and is an invited speaker to numerous cyber security and critical infrastructure events. He has co-authored a chapter on cyber security for Electric Power Substations Engineering as well as numerous articles. Mr. Weiss provided expert testimony to the October 17, 2007 House Homeland Security Subcommittee and provided control system cyber security recommendations to the Obama Administration. He has prepared a module for the IEEE Education Society. He is now a US Expert to IEC TC65 WG10.
This paper is a result of a cyber risk assessment undertaken with the goal of increasing the cyber awareness of operators of infrastructure, managers, and political leadership. The meaning of cyber has, in our opinion, been aggregated to a bumper sticker label so generic, it means very little of anything to anyone trying to understand cyber risk. Senior executives and political leaders have a very limited understanding of industrial control systems (ICS) and the crucial role ICS provide to public/private infrastructure, industry, and military systems. Therefore, to accomplish our
purpose, we conducted a cyber-risk study focusing on a bridge tunnel ICS – a scenario of concern. In this paper we present the analytic approach, discuss our model, simulation, and analyze the results using a notational data and generic system description. As a result of this study we were able to discuss the importance of controls systems with senior leaders. We were able to demystify what we mean by “cyber” showing that it is possible through simulation to inject the effects of cyber scenarios of concern into simulations to assess impact. There was also an unintended benefit: During a system audit, ICS operators with decades of engineering experiences began to realize that the ICS is vulnerable to willful intrusion. More of these studies are needed to raise awareness.