- Hardcover: 310 pages
- Publisher: Momentum Press (May 15, 2010)
- Language: English
- ISBN-10: 1606501976
- ISBN-13: 978-1606501979
- Product Dimensions: 7.5 x 1.2 x 9.5 inches
- Shipping Weight: 1.7 pounds (View shipping rates and policies)
- Average Customer Review: 8 customer reviews
Amazon Best Sellers Rank:
#279,998 in Books (See Top 100 in Books)
- #9 in Books > Computers & Technology > Hardware & DIY > Microprocessors & System Design > Control Systems
- #51 in Books > Engineering & Transportation > Engineering > Industrial, Manufacturing & Operational Systems > Industrial Technology
- #160 in Books > Engineering & Transportation > Engineering > Industrial, Manufacturing & Operational Systems > Manufacturing
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
Protecting Industrial Control Systems from Electronic Threats
Use the Amazon App to scan ISBNs and compare prices.
Frequently bought together
Customers who bought this item also bought
Customers who viewed this item also viewed
For many years, Joe Weiss has been sounding the alarm regarding the potential adverse impact of the law of unintended consequences on the evolving convergence between industrial control systems technology and information technology. In this informative book, he makes a strong case regarding the need for situational awareness, analytical thinking, dedicated personnel resources with appropriate training, and technical excellence when attempting to protect industrial process controls and SCADA systems from potential malicious or inadvertent cyber incidents. --Dave Rahn, Registered Professional Engineer, with 35 years experience.
"I look forward to reading Joe s book based on my professional association with him over the last twenty years. His passion, technical excellence and expertise drives him to follow through with questions others often fail to comprehend or are afraid to ask - What is the root cause? - What are the generic implications? I expect no less from this book. It should help to extend the knowledge and ability of control system and IT practitioners working in this important area. Perhaps more importantly, it should help policy makers and leaders interested in making informed decisions decisions that should lead to improved cyber security in industrial automation and control systems." --Robert C. Webb, PE, Industrial Control Systems Secure, LLC.
"Protecting Industrial Control Systems from Electronic Threats offers a unique and fresh perspective into control systems security. Weiss thoroughly outlines important distinctions between traditional IT and control systems risks. He makes a compelling case for advancing higher education in this field and the need for new certification programs. If you deem critical infrastructure important, you should read this book." --Jon Stanford, CGEIT, CISM, CISSP, industry security expert and CISO.
About the Author
Joe Weiss is a Managing Partner for Applied Control Solutions, LLC. Joe has won numerous awards. He is an ISA Fellow, and has won ISA Power Industry Division Best Paper Award 2006; ISA Excellence in Documentation Award 2004; EPRI Presidents Award, 2002; and EPRI Chauncey Award Winner, 1999.
Top customer reviews
There was a problem filtering reviews right now. Please try again later.
The 166 pages of this text really amount to a crash course on industrial control systems and document why many typical IT security measures may fail to prevent cyber attacks. In fact the author goes to great lengths to explain how such out of the box security fixes may do more harm than good and bring the underlying hardware and software to a screeching halt. The real impacts of that happening could translate to blackouts and brownouts, pipeline explosions and a host of other inconveniences depending on the kind of system one is dealing with.
Joe Weiss leads the reader slowly through the technical issues of industrial control systems and provides numerous examples of how cyber threats have plagued various industries. These summaries are detailed and valuable. I found myself thinking about what administrative and logical controls to apply.
This book is ideal for any IT Security professional or regulators who have to grapple with protecting electric, natural gas, oil, water, chemical and transportation infrastructure from cyber attacks. Some of the materials are very technical and policy makers and regulators may find these distracting. However, one needs this grounding if only to appreciate that securing industrial controls of power, natural gas, water, etc. is complicated and can not be done without carefully examining the implications of policies, regulations, and technical fixes being applied to the IOCs. To do otherwise may only make matters worse.
In fact, owners of these facilities would be wise to prevent IT Security experts from working on their industrial control facilities who don't at least have an appreciation of their respective facilities. The reverse is true is also true. Industrial control engineers who don't have a grounding in IT security can't just simply apply IT fixes to their existing systems.
This book can go a long way in filling those gaps in industry knowledge and gaps in existing regulations that purport to improve electric reliability and secure the Smart Grid. At a minimum, the book will at least make both IT Security staff and Industrial Control Engineers aware of each other and the wide variety of fixes that can help or make matters worse when applied.
Key nuggets that I took away from the book are as follows:
1. One can not casually apply security policies, technical controls and testing to industrial controls and then declare victory.
2. Applying typical IT security fixes like patches, vulnerability scans, password lockouts can be worse then the typical cyber threats they intend to fix.
3. Industrial control systems (IOC) are temperamental and are designed with almost one thing in mind--- availability. As the author states, most IOCs must operate at 99.9999 percent (5 minutes a year of down time)
4. Many catastrophic events associated with electrical, natural gas, water and sewage are due to cyber events that are intentional and unintentional.
5. Compliance with government regulations may give a false sense to industry, government and the public that our infrastructure is secure from cyber threats.
6. While multiple industries use similar industrial controls, there is little sharing of information regarding instances of cyber threats or how to deal with them.
7. Information Security Professionals and Industrial Control Professionals don't have a forum to talk with each other.
The one question that lingers after reading this book is why haven't manufacturers of industrial control systems responded with hardware and software to protect systems against cyber threats. Certainly there appears to be a market for and a need to protect industrial control systems from such attacks. The answer alluded to it that the focus is on compliance with government regulations at the expense of security. It may also be because the upgrades required are expensive and regulatory bodies are not willing to include these expenditures in customer rate bases (at least for power).
Also the bar or need to protect industrial control systems has already been raised by the discovery of the Stuxnet worm. This worm attacked programmable logic controller which are a part of industrial control systems. While the book does not mention Stuxnet, it's message is all the more compelling now that the worm is in the wild and variants of it may follow.
Though it may seem odd to the reader that such obviously critical systems are so easily disrupted, the way that Weiss explains the evolution of ICS and the myths that surround attempts at ICS technical security evaluation, his story line makes sense. For example, a typical software program lives 3-5 years before a major architectural change. A typical industrial control system lives 15-20. That means that the technology components in an ICS are likely to be at least 10 years old, very outdated by technology standards, and correspondingly vulnerable to today's sophisticated cyber-attacks. In addition, cybersecurity threats to ICS are not the same as cybersecurity threats to mainstream information technology. An ICS is typically much more sensitive to very small changes in electronic components. Hence, technology controls that are often proscribed for mainstream information assurance, like scanning and patching, can actually harm these systems more than they help them.
Weiss does a great job of bringing attention to this serious national security issue. The book is as engaging as it is rare. It will benefit anyone who is interested in critical infrastructure protection or systems security engineering.
I liked the book and recommend it for any individual that has a strong background in IT security (such as myselft) yet little or no experience with ICS. The case studies serve to highlight the fact that ICS can and have been subject to "attack".
Appendix 5: Typical Distributed Control Systme Procurement Specification provided insights for me to what I need to pay closer attention to when new systems or systems upgrades occur.
I could not agree more that a training program needs to be in place to allow security staff not only assure compliance but to know that the systems are secure.