"It depends on the industry," says Joe Weiss, principal of Applied Control Solutions and chief blogger of Control's "Unfettered" cybersecurity blog. "The electric industry treats security as a compliance, not a reliability or safety issue. Other industries, such as chemical and petroleum, treat security as an important reliability and safety consideration. For example, consider the membership of the ISA99 Leadership Committee. The end users on the committee are primarily from oil/gas and chemicals, with no representation from electric utilities."
But it's not just electric companies that don't get the security/safety nexus. Many companies see cybersecurity as solely an IT problem.
Weiss points out, "I have found that senior management are keenly aware of IT security issues because of Sarbanes-Oxley, but they are only aware of control system security when something bad happens. An ongoing dilemma is how to educate senior management to be as interested in protecting their operational assets as they are in having their ERP installed on time and within budget."
Echoing Cosman, Weiss goes on, "Plant management often feels that cybersecurity is an IT issue—protecting emails and the data in enterprise servers. Another ongoing dilemma is how to educate plant management to understand how cybersecurity can affect reliability and safety."
Sikora adds, "There is too much focus on the technical aspects of security and less on the business aspects. We need to educate our engineers to speak a business language and present to management metrics around security. Our security risk is X. We need to invest Y to reduce our risk by Z."
Al Fung, director of marketing for safety and critical control solutions for Invensys Operations Management (IOM) says, however, "We are seeing a shift in attitude towards raising the importance of security."
Managers are reaching out to the cyber and safety communities to learn and understand the impact and consequence of an attack, Fung says, and they are engaging control system vendors to help prevent and mitigate potential risks.
That's good, because just like safety, security is not fundamentally a vendor issue. Fung's IOM colleague, program manager-cybersecurity, Ernie Rakaczky, has pointed out that the responsibility of the vendor to produce secure systems solves about 25% of the problem, while the end users are responsible for the remaining 75% in the way they implement security policies, procedures, training and enforcement. Just as companies need to create and maintain a safety culture, they also need to create and maintain a security culture—and recognize that the two cultures are the same.
Fung goes on, "Defense-in-depth security is similar in approach to layers of protection for safety in the context of risk reduction and mitigation. Any plant design, safety risk assessment and hazard analysis that involves the use of any industrial control equipment needs to include a security assessment as part of the design for plant safety. If it isn't an integral part, it should be."
And here's where plant security and safety collide. "Plant management and executive management may be concerned about, but do not understand industrial control security," John Cusimano says. Most often they look to the IT department, but "the challenge is that while IT knows how to secure networks, it does not know how to properly apply security control in an industrial control system (ICS) environment. Security assessments tend to focus on fundamentals, such as strengths of passwords, and definitely do not address how to secure ICS protocols."
Safety, Security and Compliance
In the United States, when the Occupational Safety and Health Administration (OSHA) was established in 1971 under the Nixon administration, the new agency focused on workplace safety, not functional safety in the process industries. It also focused on "compliance" to the Occupational Safety and Health Act of 1970.
Since that time, the number of usually avoidable accidents where property, injuries and some fatalities have occurred remains high, with this writer's estimate that between 100 and 200 process plant workers are killed annually, and thousands injured.
And for readers with a financial bent, BP's Texas City refinery has not yet recovered full production since the accident in 2005 that took 16 lives and damaged a significant part of the plant. These accidents carry a huge financial cost in terms of plant downtime, with loss of revenue in nearly every accident, including some plant-closing events, not to mention payouts to victims and their families and government fines, plus softer costs to corporate reputations as well as damage to communities and significant ecological costs.
But savvy end users understand that a good safety culture is about making things safer, not about being compliant with regulations. Safety systems are designed to increase plant safety, without regard to basic compliance. Compliance is assumed. Compliance comes from having a good safety culture, with a good safety system and ongoing safety process.
Unfortunately, in the security area, compliance rules. The North American Electrical Reliability Corporation (NERC) serves as the power industry's self-policing agency. NERC's Critical Infrastructure Protection (CIP) standards rely on enforcing compliance, without necessarily insisting on increased security. In fact, NERC has consistently tried to avoid security issues by literally gerrymandering which installations are to be considered "critical." Joe Weiss tells of a utility that was actually fined by NERC for violating the CIPs when it chose to go after increased security and assumed compliance.