Sox for Control Systems?
Some interesting fireworks have appeared in the skies over ControlGlobal.com this month. Security guru, Joe Weiss posed the question, does the Sarbanes-Oxley Act, particularly Section 302, which mandates a set of internal procedures designed to ensure accurate financial disclosure, apply to control systems? He argued that it did.
Joe said, “Control systems, such as DCS, SCADA and energy management, are IT systems and materially affect the financial health of companies using them. Often they are are electronically connected to ERP systems. Failures of control systems to perform as designed can result in facility shutdowns, equipment damage with potential long-term consequences and/or impacts to personnel safety. There has been at least one case where a cyber event occurred with a SCADA system that led to deaths, significant environmental destruction, significant economic impact and ultimately led to the failure of the company. Consequently, it appears to me that SOX as written should apply to control systems and their cyber security.”
Not everyone agreed. Commentors split down the middle.
The idea of the intersection of Sarbanes-Oxley and cyber security is thought-provoking. SOX definitely applies to control systems where custody transfer is part of the scope, such as oil & gas and gas-production-to-pipeline distribution. I wrote about this in an Emerson Process Experts blog post at: www.emersonprocessxperts.com/archives/2006/08/custodytransfe1.html.
Emerson Process Systems
So it wasn’t bad enough that we already had an alphabet soup of agencies and organizations making policy at every turn. Now we add SOX to the mix?
SOX was designed for ERP and financial reporting integrity. Extending those policies to industrial control systems could lead to disaster.
These industrial control systems standards are engineering, not IT standards. Yes, there are IT people in the mix, because they eventually have to receive the data in some form, and their assistance will be needed at some level.
We also have state regulations in many places which assign all responsibility for reporting to a plant superintendent. Clearly, SOX will have to deal with situations like that. I don’t envision any court of law thinking that financial accounting should dictate environmental reporting standards.
I think we can safely leave SOX with the IT crowd and push the corporate ERP mess as far off as we can. Few can afford to upgrade or secure control systems the way SOX would have us act. We must inject a note of realism here, take control of what is properly an engineering discipline, and kick the wannabees out.
Washington Suburban Sanitary
Jake, I don’t think you get that choice. Fact is, lawyers run things, and lawyers will use SOX the first time something bad happens at a utility or at a large refinery or chemical plant. Think they won’t? I wouldn’t hold my breath.
Editor in Chief, Control