Interested in linking to "Cybersecurity in Your Safety DNA"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
But it's not just electric companies that don't get the security/safety nexus. Many companies see cybersecurity as solely an IT problem.
Weiss points out, "I have found that senior management are keenly aware of IT security issues because of Sarbanes-Oxley, but they are only aware of control system security when something bad happens. An ongoing dilemma is how to educate senior management to be as interested in protecting their operational assets as they are in having their ERP installed on time and within budget."
Echoing Cosman, Weiss goes on, "Plant management often feels that cybersecurity is an IT issue—protecting emails and the data in enterprise servers. Another ongoing dilemma is how to educate plant management to understand how cybersecurity can affect reliability and safety."
Sikora adds, "There is too much focus on the technical aspects of security and less on the business aspects. We need to educate our engineers to speak a business language and present to management metrics around security. Our security risk is X. We need to invest Y to reduce our risk by Z."
Al Fung, director of marketing for safety and critical control solutions for Invensys Operations Management (IOM) says, however, "We are seeing a shift in attitude towards raising the importance of security."
Managers are reaching out to the cyber and safety communities to learn and understand the impact and consequence of an attack, Fung says, and they are engaging control system vendors to help prevent and mitigate potential risks.
That's good, because just like safety, security is not fundamentally a vendor issue. Fung's IOM colleague, program manager-cybersecurity, Ernie Rakaczky, has pointed out that the responsibility of the vendor to produce secure systems solves about 25% of the problem, while the end users are responsible for the remaining 75% in the way they implement security policies, procedures, training and enforcement. Just as companies need to create and maintain a safety culture, they also need to create and maintain a security culture—and recognize that the two cultures are the same.
Fung goes on, "Defense-in-depth security is similar in approach to layers of protection for safety in the context of risk reduction and mitigation. Any plant design, safety risk assessment and hazard analysis that involves the use of any industrial control equipment needs to include a security assessment as part of the design for plant safety. If it isn't an integral part, it should be."
And here's where plant security and safety collide. "Plant management and executive management may be concerned about, but do not understand industrial control security," John Cusimano says. Most often they look to the IT department, but "the challenge is that while IT knows how to secure networks, it does not know how to properly apply security control in an industrial control system (ICS) environment. Security assessments tend to focus on fundamentals, such as strengths of passwords, and definitely do not address how to secure ICS protocols."
In the United States, when the Occupational Safety and Health Administration (OSHA) was established in 1971 under the Nixon administration, the new agency focused on workplace safety, not functional safety in the process industries. It also focused on "compliance" to the Occupational Safety and Health Act of 1970.
Since that time, the number of usually avoidable accidents where property, injuries and some fatalities have occurred remains high, with this writer's estimate that between 100 and 200 process plant workers are killed annually, and thousands injured.
And for readers with a financial bent, BP's Texas City refinery has not yet recovered full production since the accident in 2005 that took 16 lives and damaged a significant part of the plant. These accidents carry a huge financial cost in terms of plant downtime, with loss of revenue in nearly every accident, including some plant-closing events, not to mention payouts to victims and their families and government fines, plus softer costs to corporate reputations as well as damage to communities and significant ecological costs.
But savvy end users understand that a good safety culture is about making things safer, not about being compliant with regulations. Safety systems are designed to increase plant safety, without regard to basic compliance. Compliance is assumed. Compliance comes from having a good safety culture, with a good safety system and ongoing safety process.
Unfortunately, in the security area, compliance rules. The North American Electrical Reliability Corporation (NERC) serves as the power industry's self-policing agency. NERC's Critical Infrastructure Protection (CIP) standards rely on enforcing compliance, without necessarily insisting on increased security. In fact, NERC has consistently tried to avoid security issues by literally gerrymandering which installations are to be considered "critical." Joe Weiss tells of a utility that was actually fined by NERC for violating the CIPs when it chose to go after increased security and assumed compliance.
Often, the same attitude applies in the other process industries. Cusimano notes, "Many unscrupulous vendors will sell them [end users] anything, and claim it will deliver compliance. It is still not recognized that ICS insecurity can lead to safety incidents."
Weiss points out, "The NERC CIPs would not have prevented a Stuxnet-style attack on our power industry critical infrastructure."
Here is where the two analyses should merge. In an operating process plant, the highest-risk vulnerabilities have little to do with the data in the servers or the plant manager's emails. These vulnerabilities are in the control system and the safety instrumented system, which, if compromised, could shut down the plant, or worse. As the Stuxnet malware proved, this kind of attack doesn't have to come through the network. There were apparently several attack vectors, but the most significant one for Stuxnet was a targeted "candy drop" of infected USB memory sticks in the parking lot of the plant. Users bypassed any network security measures and plugged the USB sticks directly into the engineering workstations and the process control computers.
Weiss talks about how to do a functional security analysis. "A functional security analysis requires senior management buy-in to be successful."
Then, he says, do a detailed assessment of what needs to be done to beef up your ICS security that has been documented as such. That means, find out what measures and systems you think you have in place.
Next, determine what you actually have, not what you think is there. When such assessments have been done, hidden, forgotten modem connections into the control system often turn up. The recently increasing usage of smart phones and tablets needs to be considered as both a safety and a security issue, too.
Next, Weiss says, you have to determine what is connected to what and how. Only then will you be clear what the potential cyber issues are.
Then you need to determine how secure you really are. That means finding out if known security issues, such as patching, have been addressed within the context of equipment availability. If plant conditions do not allow for security implementation, determine what work-arounds have been implemented, so you can continue to operate with insecure equipment.
Weiss says that you have to recognize that plants will be hit. You have to develop a recovery plan. This is where ISA106, Procedural Automation for Continuous Process Operations, intersects ISA84 and ISA99.
Finally, ask the many-billion-dollar question: What probability would you assign to a successful cyber attack on a process plant? In other words, how worried should you be, and how much money and manpower should you throw at this problem?
Weiss succinctly responds, "There have been more than 200 actual control system cyber incidents to date (malicious or unintentional). There have been successful cyber attacks on process facilities (more than just Stuxnet). Risk is frequency times consequence. Since there are minimal control system cyber forensics and minimal information sharing, the probability is difficult to estimate, but since you can expect to have cyber-related issues eventually, the probability should be 1!"