Pat Differ, Vice President- Head of Industrial Sales at Mission Secure, Inc. responds to ‘Crossing the Industrial Cybersecurity Chasm’ by Jonathon Gordon, Directing Analyst, Takepoint Research.
He feels that as marketing forces push for a world where the internet of things becomes the norm and where big data will need greater protection, cyber security will take on new meanings and force decisions requiring engineering, cyber and enterprise level experience to bring it all together. Pat’s goal is to assist in transferring the years of knowledge he has in a meaningful and practical way to assist companies in this transition.
Human safety remains the most important aspect of ICS cybersecurity
I started my Automation career in 1977 and my OT Cyber career 16 years ago and agree with most of your article. It is well stated.
There are parallels to the early Industrial Control Systems and OT Cyber platforms in many areas: Ownership, education of stakeholders, ease of use, MTTR, and system integration. Supply Chain is a new one since in the older days you tracked component infant mortality and it was initially a DEC world. It was trusted.
There is one area that needs a lot more attention and that is the cost benefit analysis, ROI over the Control System lifecycle and assets you are trying to protect. In truth, Safety is the single most important impact criteria in OT probably followed by Uptime and the ability to recover and restore from an event. A human life is priceless and your cyber security foundation, like your Automation foundation should indeed cover the whole integration spectrum from Asset, sensor to SOC. Taking any risk when it comes to human safety is unacceptable to me in principle. The OT platforms comparatively speaking are cost negligible vs risk and actual asset value. This is where the Industry at large has failed to properly educate in my view.
You are correct on the need for more innovation required for L0 and L1 in real-time. In an internet connected world you have to engineer solutions to close safety gaps and Stuxnet proved this beyond a shadow of a doubt. I too often hear the C Level refrain of “yea but how often does this really happen?”
Those of us who live in the engineering reality of Control Systems and safety recognize this as a financial statement and another example of how lack of education is likely complicit in fo
stering needed discussion on cost benefit.
Human safety vs earnings vs risk? The Majority as you point out is most likely interested in understanding this area more. They are certainly being impacted by insurance premiums. I don’t understand why the Insurance industry is offering assessments as a way to reduce premiums but it’s a good first step. The problem I have with it is that assessments are a snapshot in time. Real-time is 24/7/365. That’s how control systems run.
The true relationship between Industrial Control systems and safety and OT Cyber needs to be one foundation built around human safety first. If a Stuxnet type event was targeted at a closed cycle plant with Hydrogen Cyanide are you really going to risk human safety by doing nothing? Visibility into the software, asset management, inventory management, access controls and incident response are better than current alternatives.
I agree with you that the only way this will accelerate is if the end users compel innovators to keep them safe.
Automation systems are designed for control and are highly resilient and also highly integrated. Cyber is another layer in the integration. Cyber doesn’t make systems less reliable; on the contrary, visibility into baseline behavior in the software domain is relatively new. Mean Time to Repair, Replace and Restore analysis was always based on hardware and the irony is that the real value was always in the software.
The education of CEOs , CIOs, CISOs and CFOs in real-time automation and the cyber layer and how that relates to human safety needs to accelerate and it needs to include L0 and L1 for the best possible defense for employees and assets. Protection and not just network analysis, is required for control systems.
This is my view. I’ve walked the walk and I think you are on the right track.