The engineering world is still not keeping up with cyber security nor is there adequate standards coordination

March 26, 2020
Both IT/OT and engineering still have a long way to go to adequately secure our critical systems. In fact, they both have a long way to go to even understand what isn’t being addressed. Where is DHS CISA to help with the standards coordination as they mentioned was so critical at RSA?

I have been very critical of the networking community not working with the engineering community on control system cyber security. However, I came across examples of the engineering community still not being aware of control system cyber security and its impact on systems engineering and safety.

OSHA issued Process Safety Management for Petroleum Refineries – Lessons Learned from the Petroleum Refinery Process Safety Management National Emphasis Program (OSHA 3918-08 2017). Cyber security was not mentioned. Given the catastrophic damage at the Texas City Refinery, this omission is glaring.

In 2019-2020, the National Defense Industrial Association Systems Engineering Division (NDIA-SED) and the International Council on Systems Engineering (INCOSE) collaborated with the Systems Engineering Research Center (SERC) at the Stevens Institute of Technology to benchmark the current state of Digital Engineering (DE) and Model-Based Systems Engineering (MBSE) across government, industry, and academia. The team developed and executed a survey of the systems engineering community to broadly assess the maturity of system engineering’s “digital transformation”, identify specific benefits of MBSE and associated metrics, identify enablers and obstacles to DE and MBSE adoption across the enterprise, and understand evolving and necessary shifts in the systems engineering (SE) workforce. The Systems Engineering Research Center (SERC) issued the report Benchmarking the Benefits and Current Maturity of Model-Based Systems Engineering across the Enterprise Results of the MSBE maturity Survey, Part 1: Executive Survey dated March 19, 2020, Technical Report SERC-2020-SR-001. The term “cyber security” was not mentioned in the survey responses. Cyber security was addressed from the perspective of security of data and Intellectual Property (IP). However, these are IT not engineering considerations. Where were the questions about control system cyber security which directly affect safety, reliability, and resiliency which should be front and center to systems engineers?

Another very important issue is the integration of cyber security and process safety as you cannot be safe if you are not secure. There are several standards activities addressing this missing intersection including ISA84 (Process Safety)/ISA99 (Cyber Security), the UK’s Institution of Engineering and Technology - IET's (the British equivalent of IEEE) Code of Practice for Cyber Security and Safety, and SAE’s G32 Committee. I am not sure what other process safety/cyber security activities are ongoing though I expect there are in other areas such as medical and transportation. However, it is very important these activities are comprehensive and not inconsistent as often the same equipment from the same vendors are used. Which begs the questions, who is identifying the organizations addressing the intersection of safety and security and who is doing the coordination between these organizations?

Both IT/OT and engineering still have a long way to go to adequately secure our critical systems. In fact, they both have a way to go to even understand what isn’t being addressed, like Level 0,1 issues. Where is DHS CISA to help with the standards coordination as they mentioned was so critical at the 2020 RSA Conference?

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...