I read a blog on Digital Bond’s Bandolier project (www.digitalbond.com, Posted:May 27th, 2008 under Bandolier, DoE Research Project). It seems to be a good approach to identifying vulnerabilities in control system computers. The severity ratings for Bandolier are a good idea but the approach does not go far enough. Since these ratings are used for compliance reporting, it potentially could cost companies a significant amount of money without an accompanying risk reduction. The missing piece is the impact on the process or facility. I see two issues with the Bandolier approach- the first is the classification of non-critical computers as “severe”. The second is how Bandolier is used in the overall context of securing the facility. Many of the Major and Moderate control system cyber incidents I have identified in my incident database would not have been identified using an approach like Bandolier as they were not caused by traditional computer vulnerabilities but represented failures, omissions, or errors in design, configuration, or implementation of required programs and policies.
As an example of the first issue, consider a “typical” automation system like the one with which I am now working. It is a large power plant control system retrofit where security is to be considered. This facility includes many generations of control system workstations that are used in both critical and non-critical applications. Some are connected to the Process network LAN, some are connected to the Control LAN, some are connected to the Corporate LAN, and some are not even connected to a LAN. Using the Bandolier security rating approach, many workstations used in non-critical applications and not even connected to the plant control network could get a “Severe” rating if all IT appropriate security controls have not been applied. However, in the grand scheme of protecting assets (the facility and its ability to produce power), this type of rating would require significant expenditures without offering any benefit to the security of the facility.
For security approaches such as Bandolier to be effective, they need to be combined with impact on facilities. Examination of ISA SP99 requirements and risk definitions and tools such as the Idaho National Laboratory-developed Cyber Security Self-Assessment Tool (CS2SAT) make it clear that consequences must be understood in terms of the effects on facilities, major equipment health, environmental concerns, and public safety. Perhaps that was the idea of the Bandolier approach. But unless they define what they mean by “systems” to include these effects, their approach will not meet automation systems needs. I think these identified limitations in Bandolier have more to do with the different cultures of IT and Operations where IT’s focus is protecting computers while Operations focus is protecting the process and facilities. I believe the potential for extending Bandolier (or other IT-type approaches) to include impacts on facilities provides a basis for the two communities to work together. Consequently, this will be a major discussion area at the Applied Control Solutions August Control System Conference in Burr Ridge, IL.