I had a discussion with Joe Weiss, PE, voting member and managing director of the ISA99, Industrial Automation and Control Systems Security committee, who is bringing into focus major cybersecurity and safety issues. He is committed to standards and practices to achieve secure systems. Weiss is an ISA Fellow, a Certified Information Security Manager (CISM), and is Certified in Risk and Information Systems Control (CRISC). Cybersecurity is a big issue that can have serious consequences. We discussed cybersecurity and safety issues, and my questions and his responses follow:

What are the most serious issues that are gaps in cybersecurity thinking today?

The first issue is the use of the word "edge." To the information technology community, an "edge" device is a router, switch, hub, cell phone, tablet, laptop, etc. To a control system engineer, an "edge" device is a sensor, actuator, or drive, that is, a Purdue Reference Model Level 0,1 device.

The lack of cybersecurity in Level 0,1 devices, as described in the Purdue Model and ISA95, stands out as a major area of vulnerability that is not being adequately addressed. Attacks at this level can directly impact the reliability and safety of processes, manufacturing, material handling, and overall production. Level 0,1 devices are the fundamental elements that manipulate physical processes and production. Devices include process sensors, analyzers, actuators, motor controls, and related instrumentation. These are the fundamental "things" that make process control and manufacturing automation possible, reliable, safe, and effective.

There has been a significant emphasis on computer systems and networks, which are important, but essentially no strategy for Level 0,1 devices. The lack of cybersecurity focus on Level 0,1 devices provides a serious cybersecurity exposure. The lack of cybersecurity and authentication in Level 0,1 devices...