How Safe is Safe? How Secure is Secure?

This is a six-sided tale. Safety. Security. Compliance. Engineering. Finance. Legal.  As I said in my keynote speech last year at the TÜV Rheinland Safety Symposium, we’re seeing  a convergence of  the disciplines of functional safety and control system cybersecurity (what I’ve taken to calling “functional security”). It isn’t hard to see why. Both disciplines focus on the behavior. Both disciplines are based on risk management. Both disciplines require continuing engineering analysis and management.
Since both disciplines are about managing risk to acceptable levels, we can easily see that ultimate safety isn’t a viable goal, nor is ultimate security. We need as much safety as we must have to eliminate or dramatically reduce the incidence of accidents in the plant. We need as much security as we must have to eliminate or dramatically reduce the incidence of cyber intrusion into the control and SCADA systems we operate. But we don’t want to be hampered in operating the plant by either safety or security regulations and enforcement. So we want just enough, but not too much of either safety or security.

There’s the engineering side of risk management, and then there’s the financial side. The financial side says we can have less safety and security than the engineers want by insuring against accidents and intrusions. That way, company profits stay protected, but company personnel and assets sometimes do not.

When, as is beginning to happen now, governments begin making regulations about either safety or cybersecurity, we find the legal side of risk management rearing its head.

While the engineers want enough safety and security to prevent accidents, but not hamper production, and the bean counters want as little safety and security as they have to pay for, the lawyers want none of those things, and they don’t care, either.

The lawyers’ job is to keep the company from being sued, and the way they do that is by instituting a risk-management vehicle called compliance. As far as the lawyers are concerned, the company only has to do as little as it can toward functional safety or functional security and be in compliance with the regulations.

In the U.S. power industry, we have the NERC-CIPs and people insisting that their cybersecurity practices, which are manifestly unsafe to the engineers, but way too costly already to the bean counters, are just fine because they’re in compliance.

We’re seeing this attitude spread to the water and wastewater utilities and to some extent to the transportation sector and some of the chemical, pharmaceutical and food industries, because they’re used to regulation and compliance to regulations.

None of this, however, is making our infrastructure any safer or more cyber secure.

We must continue to focus on the idea that functional safety is about safely preserving people and processes and assets, not hedging with insurance policies to cover drastically unsafe practices. We must continue to focus on the idea that functional security is about the ability of our systems to withstand assaults from without, disaffected employees from within and simple accidents. We must continue to focus on what those disciplines actually are for.

I can just hear the CEO trying to explain to the Sarbanes-Oxley folks, “Well, we were in compliance. It isn’t our fault that the terrorists’ cyber attack killed our functional safety system and blew up our plant. We were in compliance!”

And that is why we’re seeing a convergence of functional safety and functional security as disciplines.