More than 300,000 new malware programs are released onto the Internet every day. There were 245 reported industrial control system (ICS) attacks in the United States in 2014 (emphasis on "reported"), according to the National Cybersecurity and Communications Integration Center; 79 of these involved the energy sector, and 65 targeted critical manufacturing. Every day, cybersecurity incidents create consequences for industry including damages to profitability, productivity, company reputation and safety.
These were just a few of the bombshells dropped on 2015 Schneider Electric Global Automation Conference attendees by speakers Nasir Mundh, global director, safety services, and Joshua Carlson, systems cybersecurity manager, both of Schneider Electric.
"But the problem with facts like this is that they are already out of date," said Carlson. "The best that we can ever hope for when it comes to cybersecurity threats is to be totally on top of what we knew yesterday. The threats are always changing."
The ever-changing nature of cybersecurity is what makes time, lack of visibility and complacency the enemies of process safety, according to Mundh and Carlson. The first enemy is time. "Things change; the risks are constantly evolving," said Carlson. "And yet we often believe that we can establish a cybersecurity system and let it run. We need to continually be identifying the risks, containing them and measuring the effectiveness of our systems."
Carlson said this vigilance needs to apply to the entire lifecycle, not just the two to three years required to ensure design integrity, but the full 20 years of the operational lifecycle. "It is a constant cycle of risk identification, vulnerability recognition, containment, control and assessment."
The second enemy is lack of visibility. Carlson said it's not enough to have the right systems; everyone needs to know what they are.
But the biggest enemy of security, Carlson said, is complacency.
"As we do nothing, the risk rises," said Mundh. And while the traditional risks of corrupted or stolen data, nuisance and financial loss are ever-present, the stakes in process industries are much, much higher. "Cyber threats are not just a nuisance anymore," Mundh said. "They can kill people."
Cybersecurity as safety risk
This is the reason there is increasing pressure on industry to consider security a safety issue and to comply with standards that adhere to the same rigor as safety standards. It is also a primary reason Schneider Electric views every product and service the company sell as including a cybersecurity component, Carlson said.
"It's a simple fact that you will not know where the next risk will come from—and you will not be prepared for it—unless you commit to considering security a safety issue and treating it with the same vigilance," said Carlson.
"When's the last time you tested your systems and procedures? Does everyone know what to do in case of an incident? These are the questions you need to be asking," Carlson said. "Always."
Schneider Electric's services include security assessments, workshops and remediation. The company offers cybersecurity news, lists of known vulnerabilities, white papers and more. They can be accesses at http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cybersecurity.page.