This article was printed in CONTROL's April 2009 edition.
When you’re talking about cybersecurity in the process industries, there are only two issues that matter. The first is how much security you need to be really secure. The second isn’t all that obvious, but in many ways defines the first—and it’s one people aren’t thinking about. What’s the difference between “compliance” and “security?”
To find out, we consulted experts on the ground—security consultants, regulations experts, vendors, systems integrators and end users. Not surprisingly, their answers covered a lot of territory, but zeroed in on a central theme: security and compliance are not the same thing. And, while it’s tempting to think that compliance to existing regulations is “good enough” (and the most cost-effective) security, that’s a strategy that can come back to bite you—hard.
Bob Radvanofsky, owner of the SCADASEC automatic emailing list server, or listserv, begins the discussion by parsing the classical definitions of compliance and security. He points out they’re not synonymous and “practically contradict one another.”
“Clearly, the definition of ‘security’ does not constitute a method by which you are ‘complying with’ something. Consequently, being ‘compliant’ does not guarantee that something is ‘secure.’ One deals with compliance based on levels of coercion, meaning that someone or something made you [take certain actions]. Whereas, ‘security’ represents a state of mind, meaning that one feels safe or secure only if certain preventative and/or reactive efforts are implemented.”
Dan DesRuisseaux, manager, Ethernet Marketing Group, Schneider Electric, adds, “Compliance doesn’t assure security. A company can be compliant with internally or externally generated security regulations, but may still be vulnerable to attack. Being compliant with any one standard does not guarantee security.”
Joe Weiss, founder of Applied Control Solutions and author of ControlGlobal.com’s “Unfettered” blog, adds, “Ideally, North American Electric Reliability Corp.’s Critical Infrastructure Protection (NERC CIP) security compliance and securing assets should be complementary. NERC CIP compliance means you’ve met NERC’s requirements. Many people assume NERC requirements lead to secure assets―but they do not! What they lead to is a programmatic approach that may or may not be relevant to actually securing assets.”
Marcus Sachs, executive director, government affairs-national security, Verizon, puts it more bluntly. “Compliance equals auditors are happy. Security equals investors and customers are happy,” he says. “We tried to create a ‘culture of security’ many years ago, but failed. Instead, we created a ‘culture of compliance,’ and it led to a lot of problems. We need to get out of the checkbox mindset and back to thinking like security experts when examining information systems, regardless of whether they’re plant or enterprise IT systems.”
How Close to the Edge?
“How much security you need really depends on how much risk you’re willing to accept,” says John Cusimano, director of security services at exida. “With the understanding that one can never completely eliminate risk, corporations need to quantify their level of tolerable risk, and then design their systems to meet or exceed that level. Compliance measures conformity to a standard or regulation. The relationship between the two is that one can establish a target security level in the form of a tolerable risk level, and measure whether they’re complying with that target.”
Todd Stauffer, PCS 7 marketing manager at Siemens Energy & Automation concurs. “Security is a relative term. There’s almost no way to provide 100% assurance that a system is secure today and will be secure in the future. To maximize security posture, owner/operators should implement a defense-in-depth security concept. This concept leverages technology, such as firewalls, access control, virus scanners, software patch management, physical protection and personnel operating procedures to create a layered defense. These measures must be continually updated and augmented to ensure that newly discovered security vulnerabilities are mitigated.”
How Much Security Is Enough?
Jake Brodsky of Washington Suburban Sanitary Commission (WSSC) describes the end user’s perspective. “How secure is secure enough? That's really the foundation question. It’s like asking how safe should our cars be? We can include all sorts of measures in them, ranging from anti-lock brakes, airbags, seat-belts, crumple zones, safety glass, traction control, etc. However, even this isn't going to help if the driver is reckless. Control systems are like that. The biggest hurdle [to good cybersecurity] is education: ensuring that people understand what they’re doing when they design these things. It is also a matter of teaching people to operate securely.”
Brodsky adds, “As an interim step, we have to mandate a compliance-based approach, with the caveat that this alone may not prevent an attack. In the long run, a compliance-based approach is only a temporary measure until people combine enough experience and knowledge to know better.”