Howard Penrose, Ph.D., CMRP, is president of MotorDoc LLC and is current SMRP vice chair. In a separate interview, Penrose described his impressions of SMRP’s recent visit to Capitol Hill.
PS: Which committees did you meet with during the fly-in; what was your message; and how was it received?
HP: We met with three cyber and infrastructure groups and two representatives in relation to infrastructure and education, including trades and apprenticeships. Even in the two meetings where we hoped to discuss infrastructure and education, we were asked for our opinion on cybersecurity in relation to IoT/IIoT and commercial/industrial communications. We met with the lead staff members of both the majority and minority committees on Homeland Security in relation to cybersecurity of IoT/IIoT devices as well as cloud-based and web-based communications. These meetings tied directly in with our work on infrastructure, including grid and municipalities and related systems. Both organizations have approached SMRP to counsel in these areas.
One area that was brought up in conversation multiple times was the threat of black-hat hackers and criminals in IoT/IIoT devices, smart devices and web-based systems, in particular those utilized by maintenance organizations. Presently, there are no systems or methods in place to verify the trustworthiness of IoT/IIoT and cloud-based systems. With SC Media (Arbor Study, 2017 Worldwide Infrastructure Security Report) citing increases in attacks up 7,900% since the report started in 2005, attacks up 68% since 2016, and 43% of data centers and cloud providers experiencing outages because of IoT-device-exploited attacks, the issue has an impact on our industries. The criminals involved will often target and scan for IoT devices and systems with known firmware issues that can be exploited, and most of those systems are related to physical asset management.
We also met with Congresswoman Sheila Jackson Lee (D-TX)’s office to discuss the SCOUTS Act that SMRP assisted in drafting. This legislation addresses a specific weakness in utility cyber-resiliency in which utilities are not presently supposed to discuss cybersecurity issues and problems such as exploitable devices, and provides a clearinghouse to share information in order to strengthen our defenses. The Act will be on the table for discussion and vote this year.
We will continue to have meetings to further SMRP’s desire to create a comprehensive study on the impact of IoT/IIoT, cloud, and communication systems cybersecurity in relation to commercial and industrial infrastructure throughout the current year. In addition, SMRP is looking for ways and means to educate the maintenance, reliability, and physical asset management community on the potential impact of a cyber-attack and how to avoid, or at least reduce it. As noted by all cybersecurity professionals: “It’s not if you will be impacted by a successful attack, but when.”
PS: Does the topic of cybersecurity help get the attention of the committees, given the extra attention that topic and others (big data, digital transformation) are getting lately by industry press?
HP: Big data, digital transformation, and many of the systems we utilize to maintain our systems are of very great concern to the policymakers we have met. There are presently very few standards, limited knowledge or attention, and greater attacks against these systems by black-hat hackers. All it takes is one administrator using a weak password or an accidental or deliberate opening left by someone. This is one of the areas (where) we’ve been asked to lend our expertise.
PS: What are some of your goals when working/meeting specifically with OSHA?
HP: SMRP is developing a partnership with OSHA that includes the creation of industry-specific input and materials for SMRP members. A safe workplace is a reliable workplace, and we have noted a significant interest from members and officials when SMRP has any discussion in relation to OSHA. SMRP will continue in this direction and will provide supportive feedback to OSHA where such items impact our industry.
It is important to understand that SMRP did not address these committees and policymakers with a specific agenda that we want them to address. We have approached with the understanding that “we are SMRP and we are here to help.”