Why No Threat Scenarios in Operator Training Systems #pauto #SoftwareRevolution #safety #cybersecurity #automation #training
I was in a discussion with some Invensys executives yesterday afternoon. We were discussing simulators, and especially, Operator Training Simulators (or OTSes, as they acronym out). We were talking about the stuff Invensys can already do with OTS systems and dynamic plant simulation, and how the cost of even doing brownfield training simulators is going down.
The big hurdle to brownfield OTS has always been the cost of going out to the plant and getting the actual installed products and wiring, and getting a good recorded model of plant operation. According to Tobias Scheele, vice president of advanced applications at Invensys, the price of getting the infrastructure data into the model is dropping like a rock.
It occurred to me to ask Tobias if he was getting requests from his customers for threat-based scenarios in the Operator Training Systems. I noted that there are safety- and accident-based scenarios, like, for example, how to deal with leaks and fires and such.
But what happens when five or six people with ski masks and automatic weapons take over the control room? What happens if, due to a hack, the system data is compromised. What is the operator supposed to do? How is the operator to be trained to handle these scenarios without worsening the problem?
Scheele said that he had never been asked by a customer for threat-based scenarios, and said he wondered why not. It certainly makes good sense to try to use Operator Training Simulators to provide that kind of training.
Invensys makes simulators for training in the nuclear power, fossil power, upstream, oil and gas, refining and chemical industries. They probably make them for every industry known to man. So, tell me why nobody is asking for threat-based simulation scenarios?
Are we all ostriches?
Is it what Joe Weiss called "The Fallacy of Not Sharing ICS Incident Information"? See his blog, Unfettered to read his discussion: http://www.controlglobal.com/blogs/unfettered/the-fallacy-of-not-sharing-ics-incident-information-/
It may be.
Vendor companies enforce this fallacy a lot by sending cease and desist letters. Rather than admit they have a problem, the company sends its attack lawyers to muzzle the people who are trying to report incident information. This happens regularly. I know of at least five incidents so far this year, where a vendor company took legal action to compel its customer, or a cyber security researcher, or a reporter or analyst to stop talking about a cyber incident. It was not, this incident never happened and you are a liar. It was we don't want you to talk about it, true or not.
This kind of behavior is legal, maybe, but it is clearly reprehensible, and any vendor who is caught doing it ought to be exposed for what they are.
If you are a vendor, and you know that your company has done this, even once, don't complain to me, and don't even tell me the story because I don't want to hear it. Complain to your CEO or your Board of Directors about your company's behavior and make it stop.
If you are an end user and you have been abused by a vendor this way, please consider throwing them out and getting a newer, more honest and reliable vendor, regardless of what it costs.
And if you are an end user, and you haven't asked your OTS supplier to make you some threat-based operator scenarios, you better do so quickly. OJT is not the way to handle these threats, no matter how good your operators are.
Feel free to deny that this behavior exists, and feel free to argue with me. Comment below.