Engineering, Operations, and Maintenance often do not view cyber security as their problem

March 28, 2021
This is the first of two companion blogs on control system cyber security representing the opposing (I could not think of a better word) views of engineering and network security. On March 25, 2021, I virtually attended a webinar on Optimizing Asset Reliability in the Pharmaceutical Industry.” The presentation was given by Jesús Sifonte. who has held various maintenance and reliability positions for many pharma companies and has written a book on Reliability Centered Maintenance (RCM). His presentation focused on risk. Yet, control system cyber security was not addressed in any of his slides. When asked about cyber security, his response was cyber security was an IT function. This seems to be an oversight as industrial processes have been affected by unintentional cyber incidents and cyberattacks including substantial equipment damage and deaths. With COVID 19 and other maladies, doesn’t it make people uncomfortable that people responsible for the pharma equipment producing the vaccines and other critical pharmaceuticals are not addressing cyber security? A similar situation led me to address the food industry in a previous blog as there is no cyber security requirements addressing food adulteration. The InfraGard National Sector Security and Resilience Program also has a problem getting participation from O&M personnel in the various sectors.

I am not a stranger to the Operations and Maintenance (O&M) area. Before I got involved in cyber security in 2000, my focus was the O&M of utility and nuclear plant assets and I led several electric utility initiatives on reliability centered maintenance (RCM).

This is the first of two companion blogs on control system cyber security representing the opposing (I could not think of a better word) views of engineering and network security. This first blog represents many in the engineering operations, maintenance, and safety community where cyber security is viewed as incidental issues like e-mail and privacy protection. As those issues do not affect their control, safety, or monitoring systems, they view cyber security to be under the purview of IT. The second blog will be about the perspectives of the OT network cyber security community that is focused on the network often to the exclusion of the control systems and the process. Two years ago, I wrote a blog about this clear divide - https://www.controlglobal.com/blogs/unfettered/control-system-cyber-security-conferences-are-actually-impacting-control-system-cyber-security and it is not getting appreciably better (there are some “good” outliers). There needs to be common ground or control systems will not be secure, reliable, safe, and resilient.

On March 25, 2021, I virtually attended the Ontario, Canada Chapter Webinar on the “SMRP Pillar 2: Optimizing Asset Reliability in the Pharmaceutical Industry.” SMRP is the Society for Maintenance and Reliability Professionals. The presentation was given by Jesús Sifonte who has held various maintenance and reliability positions for BMS and Pfizer Pharmaceuticals for more than ten years. Additionally, he has been a Predictive Maintenance and Reliability Engineering consultant for Abbvie, Johnson and Johnson, Pfizer Pharmaceuticals, and Amgen over the last twenty years. He also wrote the book - Reliability Centered Maintenance – Reengineered: Practical Optimization of the RCM Process with RCM-R.

According to Mr. Sifionte, “Reliability is the ability an asset possesses for fulfilling its functions, as established by its owner, under a specified set of operating conditions. In other words, reliability is built into assets by design, enabling them to do their job satisfactorily. Maintenance, on the other hand, helps assets recover their inherent performance levels. A holistic view of asset reliability entails ensuring risks exposing pharma organizations to facing productivity and quality issues be kept at tolerable levels. Good Manufacturing Practice (GMP), a system for ensuring that products are consistently produced and controlled according to quality standards, plays a primary role in the pharma industry. GMP is the primary driver of all activities related to manufacturing assets and an aspect every Maintenance and Reliability professionals must understand.” The presentation focused on risk. Yet, control system cyber security was not addressed in any of the slides. Consequently, we asked about control system cyber security and why it wasn’t addressed, his response was cyber security was an IT function. This seems to be an oversight as industrial processes have been affected by unintentional cyber incidents and malicious cyberattacks including causing substantial equipment damage and injuries/deaths. With COVID 19 and other maladies, doesn’t it make people uncomfortable that people responsible for the O&M of the pharma equipment producing the vaccines and other critical pharmaceuticals are not addressing control system cyber security?

In 2020, I had a discussion with the organizers of one of the largest O&M conferences about control system cyber security. Until we talked, they were unaware that control system cyber security could impact O&M activities – basically the same response Mr. Sifonte gave. A similar situation led me to address the food industry as there are no cyber security requirements for food adulteration. In fact, my interview with the Senior Technical Editor of Food Engineering on control system cyber issues in the food industry is scheduled to be in their May issue. I also had a call Tuesday March 23, 2021 with some of the leadership of the InfraGard National Sector Security and Resilience Program. They also have a problem getting participation from O&M personnel in the various sectors on cyber security.

The question is why there is such a culture gap between network security and engineering? I believe it is because what is important to the engineers is the process and Level 0,1 engineering devices. However, these devices do not appear to be important to OT network personnel, and the reverse is also true. Dale Peterson in his March 23rd podcast and his weekly article: Properly Prioritizing Level 0 and Level 1 Securityhttps://www.linkedin.com/pulse/properly-prioritizing-level-0-1-security-dale-peterson/ minimizes the importance of Level 0,1 devices for cyber security. Yet a colleague who is an industry expert on Level 0,1 devices had the following observation: "I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air-gapped, and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”  Is there a question why there is such a culture clash between engineering and network security?

The culture gap between engineering and network security is alive and well. It is a gap that must be closed to help all industries with production equipment that are networked.

Joe Weiss

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.