I am not a stranger to the Operations and Maintenance (O&M) area. Before I got involved in cyber security in 2000, my focus was the O&M of utility and nuclear plant assets and I led several electric utility initiatives on reliability centered maintenance (RCM).
This is the first of two companion blogs on control system cyber security representing the opposing (I could not think of a better word) views of engineering and network security. This first blog represents many in the engineering operations, maintenance, and safety community where cyber security is viewed as incidental issues like e-mail and privacy protection. As those issues do not affect their control, safety, or monitoring systems, they view cyber security to be under the purview of IT. The second blog will be about the perspectives of the OT network cyber security community that is focused on the network often to the exclusion of the control systems and the process. Two years ago, I wrote a blog about this clear divide - https://www.controlglobal.com/blogs/unfettered/control-system-cyber-security-conferences-are-actually-impacting-control-system-cyber-security and it is not getting appreciably better (there are some “good” outliers). There needs to be common ground or control systems will not be secure, reliable, safe, and resilient.
On March 25, 2021, I virtually attended the Ontario, Canada Chapter Webinar on the “SMRP Pillar 2: Optimizing Asset Reliability in the Pharmaceutical Industry.” SMRP is the Society for Maintenance and Reliability Professionals. The presentation was given by Jesús Sifonte who has held various maintenance and reliability positions for BMS and Pfizer Pharmaceuticals for more than ten years. Additionally, he has been a Predictive Maintenance and Reliability Engineering consultant for Abbvie, Johnson and Johnson, Pfizer Pharmaceuticals, and Amgen over the last twenty years. He also wrote the book - Reliability Centered Maintenance – Reengineered: Practical Optimization of the RCM Process with RCM-R.
According to Mr. Sifionte, “Reliability is the ability an asset possesses for fulfilling its functions, as established by its owner, under a specified set of operating conditions. In other words, reliability is built into assets by design, enabling them to do their job satisfactorily. Maintenance, on the other hand, helps assets recover their inherent performance levels. A holistic view of asset reliability entails ensuring risks exposing pharma organizations to facing productivity and quality issues be kept at tolerable levels. Good Manufacturing Practice (GMP), a system for ensuring that products are consistently produced and controlled according to quality standards, plays a primary role in the pharma industry. GMP is the primary driver of all activities related to manufacturing assets and an aspect every Maintenance and Reliability professionals must understand.” The presentation focused on risk. Yet, control system cyber security was not addressed in any of the slides. Consequently, we asked about control system cyber security and why it wasn’t addressed, his response was cyber security was an IT function. This seems to be an oversight as industrial processes have been affected by unintentional cyber incidents and malicious cyberattacks including causing substantial equipment damage and injuries/deaths. With COVID 19 and other maladies, doesn’t it make people uncomfortable that people responsible for the O&M of the pharma equipment producing the vaccines and other critical pharmaceuticals are not addressing control system cyber security?
In 2020, I had a discussion with the organizers of one of the largest O&M conferences about control system cyber security. Until we talked, they were unaware that control system cyber security could impact O&M activities – basically the same response Mr. Sifonte gave. A similar situation led me to address the food industry as there are no cyber security requirements for food adulteration. In fact, my interview with the Senior Technical Editor of Food Engineering on control system cyber issues in the food industry is scheduled to be in their May issue. I also had a call Tuesday March 23, 2021 with some of the leadership of the InfraGard National Sector Security and Resilience Program. They also have a problem getting participation from O&M personnel in the various sectors on cyber security.
The question is why there is such a culture gap between network security and engineering? I believe it is because what is important to the engineers is the process and Level 0,1 engineering devices. However, these devices do not appear to be important to OT network personnel, and the reverse is also true. Dale Peterson in his March 23rd podcast and his weekly article: Properly Prioritizing Level 0 and Level 1 Security. https://www.linkedin.com/pulse/properly-prioritizing-level-0-1-security-dale-peterson/ minimizes the importance of Level 0,1 devices for cyber security. Yet a colleague who is an industry expert on Level 0,1 devices had the following observation: "I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air-gapped, and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.” Is there a question why there is such a culture clash between engineering and network security?
The culture gap between engineering and network security is alive and well. It is a gap that must be closed to help all industries with production equipment that are networked.