By Ralph Langner
Reviewed by Andrew Richardson, CISA, CISM, CRISC, MBCS, MCMI
Robust Control System Networks—How to Achieve Reliable Control After Stuxnet is for security professionals who work with industrial automation and control systems. This book provides a well-explained methodology for creating reliable and dependable control systems. It does not negate or take away from current practice and can be considered a source of information for plant planners, operators and systems maintenance engineers.
This book touches on Stuxnet but focuses more on a method and a process for creating reliable control systems, which, if designed correctly, will behave in a robust and reliable manner during unexpected conditions.
Chapters 1, 2 and 3 explain 3 different methods for looking at risk and define cyberfragility and cyber-robustness. The author presents 3 different risk models and explains the differences among them. Rather than referring to high and low risk, the book uses the terms “fragility” and “reliability.”
Chapters 4 and 5 focus on building a model of the system and creating a requirements and system specification. Key points of discussion include understanding the system before it can be controlled and knowing why a system is designed in a certain manner.
Chapters 6, 7 and 8 look at imposing structure, enforcing and reinforcing structure, and modifying structure. Imposing structure covers reduction strategies that can help create order by reducing variability. Enforcing and reinforcing structure looks at surplus strategies for ensuring continued operation when faced with atypical conditions. Modifying structure focuses on change management and notes that the vast majority of problems have been the result of deliberate and well-intended changes, rather than malicious cyberattacks.
Robust Control System Networks relates its theories back to practical examples, not just with reference to Stuxnet but also with examples from varying industries that rely on control systems. The book also has a comprehensive appendix that describes numerous subtle, unanticipated cyberfragility effects and provides real-world examples of how these effects have manifested themselves.
Robust Control System Networks—How to Achieve Reliable Control After Stuxnet is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email firstname.lastname@example.org.
Andrew Richardson, CISA, CISM, CRISC, MBCS, MCMI, is the group information security officer (ISO) at AEGON UK. Richardson has more than 25 years of experience in IT, information security, audit and risk.