- Aug 30, 2022 1:42 pm GMT
August 25, 2022, I received a call from an insurance specialty insurer who had received an Operational Technology (OT) Supplemental Application from a global control system supplier to the aerospace industry, industrial operations, and the US Department of Defense. I am personally aware of at least some of the company’s products because of their use in nuclear and fossil power plants, oil and gas facilities, and renewables. The OT Application had twenty-four questions with some having multiple parts. This Application demonstrates the culture and technical gaps between the IT and control system (OT) communities. The form was signed off by the supplier’s Senior Director of IT Security. How can IT think it is OK not having OT cyber security experts involved? I, and others “in the know”, do not believe this vendor’s approach is unique and that other critical equipment suppliers are taking the same or similar approaches. How could any nuclear power plant with this vendor’s equipment (this is most, if not all, US nuclear plants) pass an NRC cyber security audit? Even worse, this equipment is out-of-scope for a NERC CIP compliance audit. The responses to the Application raise questions about the validity of CISA’s 100-day approaches when this vendor’s equipment is an integral part of electric, water, oil/gas, pipelines, and chemical facilities.
No discussions yet. Start a discussion below.
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.