I have been very critical of the networking community not working with the engineering community on control system cyber security. However, I came across examples of the engineering community still not being aware of control system cyber security and its impact on systems engineering and safety.
OSHA issued Process Safety Management for Petroleum Refineries – Lessons Learned from the Petroleum Refinery Process Safety Management National Emphasis Program (OSHA 3918-08 2017). Cyber security was not mentioned. Given the catastrophic damage at the Texas City Refinery, this omission is glaring.
In 2019-2020, the National Defense Industrial Association Systems Engineering Division (NDIA-SED) and the International Council on Systems Engineering (INCOSE) collaborated with the Systems Engineering Research Center (SERC) at the Stevens Institute of Technology to benchmark the current state of Digital Engineering (DE) and Model-Based Systems Engineering (MBSE) across government, industry, and academia. The team developed and executed a survey of the systems engineering community to broadly assess the maturity of system engineering’s “digital transformation”, identify specific benefits of MBSE and associated metrics, identify enablers and obstacles to DE and MBSE adoption across the enterprise, and understand evolving and necessary shifts in the systems engineering (SE) workforce. The Systems Engineering Research Center (SERC) issued the report Benchmarking the Benefits and Current Maturity of Model-Based Systems Engineering across the Enterprise Results of the MSBE maturity Survey, Part 1: Executive Survey dated March 19, 2020, Technical Report SERC-2020-SR-001. The term “cyber security” was not mentioned in the survey responses. Cyber security was addressed from the perspective of security of data and Intellectual Property (IP). However, these are IT not engineering considerations. Where were the questions about control system cyber security which directly affect safety, reliability, and resiliency which should be front and center to systems engineers?
Another very important issue is the integration of cyber security and process safety as you cannot be safe if you are not secure. There are several standards activities addressing this missing intersection including ISA84 (Process Safety)/ISA99 (Cyber Security), the UK’s Institution of Engineering and Technology - IET's (the British equivalent of IEEE) Code of Practice for Cyber Security and Safety, and SAE’s G32 Committee. I am not sure what other process safety/cyber security activities are ongoing though I expect there are in other areas such as medical and transportation. However, it is very important these activities are comprehensive and not inconsistent as often the same equipment from the same vendors are used. Which begs the questions, who is identifying the organizations addressing the intersection of safety and security and who is doing the coordination between these organizations?
Both IT/OT and engineering still have a long way to go to adequately secure our critical systems. In fact, they both have a way to go to even understand what isn’t being addressed, like Level 0,1 issues. Where is DHS CISA to help with the standards coordination as they mentioned was so critical at the 2020 RSA Conference?