Talking to the Corner Office

This morning, I was supposed to give a speech at the RealtimeACS Cybersecurity Conference in Knoxville, Tenn. I couldn't make it, so I sent a video of the speech to Joe Weiss on a DVD. Katherine Bonfante, our Digital Managing Editor, has posted the speech at:  http://www.controlglobal.com/articles/2007/266.html For those of you who'd just like to read it, here's the text of my remarks: Talking to the Corner Office Hi. I'm Walt Boyes, and ordinarily I'd have been sitting in the back of the room all week, blogging away for ControlGlobal.com. Unfortunately, circumstances intervened, and I'm speaking to you via this DVD instead. I know some of you, and I'm sorry not to have seen you this week. Others of you I was looking forward to meeting. But stuff happens. I appreciate Joe's willingness to let me speak to you by video. The topic of cyber security is one of the most important issues we face as automation professionals. We have lots of catch-up to do in this area, and we must continue to run our utilities and process manufacturing facilities while we do it. We also must move forward faster than real time to protect our assets from cyber attack in the future. That's by itself a nearly overwhelming job. But that's not the worst of it. The real problem is that we are edging out of our traditional, warm and fuzzy automation box into the real world. We're venturing out of the plant and entering a world most of us have never wanted to be in. But first, we can do a lot to ensure better control system security ourselves. We can write specifications that require our vendors to adhere to standards and to certify their products. But wait"”there aren't any standards, and the world of cyber security certification is brand new, with few recognized and accepted certification agencies. The larger companies, particularly the major oil and petrochemical companies, are writing their own standards, because this is something that must be managed TODAY. I know. Companies are working on it. You ARE working on it in your companies, or you wouldn't be here. But beware of the danger of working in a vacuum. And when did you brief the CEO about your cyber security efforts? When did you brief the CFO? Did you brief the marketing communications department? Did you brief the disaster control team? Did you even know that your marketing communications department HAS a disaster control team? Is there a cyber security specialist on that team? Or do the CEO, CFO, Marcomm, AND the Board of Directors know about cyber security only what they read in the newspapers or hear about on the national or international news? If you are a casual observer"”and believe me, CEOs, CFOs, most regulators, Congresspeople and Senators, and probably most of the relevant personnel in the Executive Branch of the United States Government, ARE casual observers"¦as are their analogs in other governments worldwide"”you form your opinions about the state of control system security from what is on the news. So, we have people forming their impressions of cyber security from the most recent "Die Hard" movie, which show how easily terrorists can shut down the northeast power grid. Push one button, right? So we have people standing up at black-hat security conferences and publicly exposing"”as "hot news""”security flaws we've known about, in many cases, for quite a while. We have people keeping lists of incidents. And there have now been enough incidents to tip the threshold of calling them "many." We have people believing that automation professionals need to be rescued by the Maytag repairman, who can fix a production line faster than we can, according to the commercial. And most of us take refuge in saying, "That reporter's stupid. He doesn't know what he's talking about. His reporting is bad." Or "That's just a dumb commercial. Those guys have no clue." Who do we say those things to? Each other. And we talk to our peers in engineering, IT and plant security jargon. WE understand what we're talking about, but does the CEO? Will the Congressman's senior staffer understand? Or will they fall back on what they DO understand: The sound bite from the evening news, or the "poorly written" article on the AP wire? What they will understand is that our systems are as open as Swiss cheese, and that we're basically doing little or nothing to prevent script kiddies and evil terrorists from having their way with our systems. They will understand this because that's what the media is reporting and what Hollywood is portraying in feature films and on TV. Look at the bad press Microsoft has continued to get from both mainstream and trade media. Microsoft has done a heroic job of increasing the security of its software"¦but since "everybody knows" Windows is buggy and Word and IE are insecure"¦ "everybody knows" that Microsoft isn't doing enough. And of course, "everybody knows" we aren't doing enough either. Unless we begin talking about cyber security to the people whose opinions matter, and in ways the non-technical can clearly grasp, we run the risk of being told to do our jobs in ways that are impossible, not merely inconvenient. Is there a real problem with cyber security? Well, no. There are MANY real problems with cyber security! First, we have to talk about the incidents that have occurred and who or what caused them. We know that up until about five years ago, most incidents were accidental, and probably caused by internal failures. But we know that for the past five years, the number of intentional, external incidents has been growing, and growing steadily. We need to let people know what kind of incidents these are and what the result of these incidents has been. The decision makers, corporate and political, need to know that it is impossible to prevent all incidents. They need to know why. We know why. A significant number of incidents will always be internal: mostly accidents, but some disgruntled employees may cause problems. We know this, but does the CEO and the guy from Homeland Security? But now the majority of incidents are external in nature. Only a significant investment in defense in depth will prevent these incidents from becoming disasters in the making. We need to explain that to the CIO and we must explain what has to be done to prevent them. We need to clearly explain the difference between IT and Enterprise Security and how security must be done on the plant floor. Rebooting the email server because a patch installation failed may cause inconvenience, but rebooting the basic process control system because of a bad patch can cause deaths, injuries, and major financial effects. An hour's shutdown of a chemical processing plant can cost upwards of $500,000. How fast can you bring back a process that has been shutdown in an emergency fashion? A day, a week? How long before optimum production is restored? Just keep adding it up. A day's shutdown might cost $12 million"¦a week's might cost $84 million. And while it is true that a million here and there is chump change, $84 million is real money to any enterprise. Those are major financial repercussions for any corporation, anywhere. Talking about the numbers always gets the CEO's and CFO's attention. In fact, this is probably a good time to bring those numbers up in a big way. In the United States, we in automation are about to be slapped with the big fish of correction, also known as the law of unintended consequences. The Sarbanes-Oxley Act applies to control systems, whether SCADA or Process Control. Oh, yes it does. When a plant shutdown from an unplanned control system failure, whether it is cyber-related or not, can cost thousands or even millions of dollars in reduced production and decreased revenue, you bet the CFO wants to know about it. He is legally bound to report such an event under SOX"”and he can go to jail if he doesn't. So it might be a good idea to brief the CFO on what he might have to report to Wall Street and the Securities and Exchange Commission. It might be a good idea to explain what could happen, and, to keep from being a doomsayer, explain the likelihood of what could happen, and what you'll do about it"”as well as what you need to reduce that likelihood. Framed in the context of the numbers and the SOX implications, I'll bet the CFO will listen. Despite the beliefs of most utilities that they have few or no critical cyber infrastructure components, they do. These components really number in the thousands. Every infrastructure component that is networked is vulnerable. How vulnerable? It depends on your defense strategy against cyber attack. I keep hearing from utilities and process plants that the corner office is either unaware or unwilling to be aware of the issue, and unwilling to lay out the kind of funding necessary to correct the problems with control systems. After all, "everybody knows" that Bruce Willis or the Maytag Repairman can fix things in the length of a commercial or a feature film. So how do you think your CEO and CFO and CIO will react to being asked by market analysts if they have any SOX-reportable events regarding their control systems that they'd like to share? Or being asked by the SEC why they didn't share them"¦ If they get blindsided, they'll be looking for YOUR hair. Looked at another way, if you talk to the people in the corner offices in terms they can understand, they'll be much more likely to fork over the resources you need to implement a sensible cyber security program for your operation. Convince them of the importance of cyber security and you don't lose your scalp, plus you get the money you need to implement a really sound cyber security program. Sounds like a win-win scenario to me. So how do you talk to the corner office? First, don't talk technical. Are you familiar with the acronym MEGO? It stands for My Eyes Glaze Over. Most CEOs are NOT technical. John Berra, CEO of Emerson Process Management and Fred Kindle, President of ABB, Inc., are exceptions, not the rule. Most CFOs aren't technical either. If you talk techie to them, you'll get that MEGO look on their faces. Second, remember that the corner office's view of the enterprise is way, way different from yours. The CEO only does three things, according to the voluminous research conducted by Dr. Peter Martin from Invensys Process Systems. CEOs manage the business, measure the performance of the business"¦ and report to the Board of Directors and to Wall Street and the SEC about the business.  CFOs measure the performance of the business"¦using standard accounting techniques and financial rollups. The actuality of what goes on at the plant level is purely invisible at the CFO's level, and he has little interest in what goes on there. COOs manage the business"¦on a macro level. They often have little or no actual experience with what goes on on the plant floor either. What they see is dashboards, reports, and sometimes, in forward-thinking companies, real-time key performance indicators. All these "Cs" think in terms of managing risk, and it is just that way that we need to present cyber security. But we can't get bogged down in technical jargon. We need to present the cyber security risk in terms they will understand without stretching: "¢ Here's the risk of having a SOX-reportable incident with the control systems; "¢ Here's how much it could cost us if we have a major incident; "¢ Here's a strategy to mitigate the risk; "¢ Here's how much the mitigation strategy will cost. "¢ Here's the "delta" between what a significant (but not the worst) incident would cost, and the cost of mitigation. "¢ Here's the delta between worst case incidents and the cost of mitigation. "¢ Here are the non-financial risks to brand, reputation, litigation, and corporate liability. That's how you talk to the corner office. This is the language of corporate risk management strategies, not technical cyber security. Here's the punch line: Only you are able to do this. Only you know enough to be able to make that report. Only you. How important are you? In the process industries, we have several associations, among them ISA. These associations need to be doing their part to educate the corner office, the regulators, elected officials, Wall Street, the media and beyond. The technical societies have been hampered by an unwillingness to engage in the political process. The corporate and trade groups have been hampered by an unwillingness to "speak truth to power," especially about things that might better be left unsaid. But that is the way to having a cyber incident turn into a cyber disaster. We've been bloody lucky so far, that some of the incidents we know about didn't mushroom out of control. Believe me, one will. And when it does, the news media, the politicians, Wall Street, the SEC, and YOUR BOSS will want to know who, what, when, why and how. So talk to the corner office now. Thank you. If you want to talk to me about this, feel free to write to me at wboyes@putman.net, or post to my blog at www.controlglobal.com/soundoff. I'll be posting this text there, and I'll be posting the video in the Process Automation Media Network library on controlglobal.com. You might just want to show it to the corner office.  

What are your comments?

Join the discussion today. Login Here.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments