Friday, March 2, 2018

Profit and Safety …
a High Wire Balancing Act

So, do you know who Don Blankenship is OR why you should even care? Blankenship was chief executive of Massey Energy and believed to be the first chief executive of a major US corporation convicted in federal court for essentially putting profits ahead of safety. As a result, Blankenship spent 12 months in a federal prison and halfway house.
The basic goals for almost any company are to provide a fair return to investors and a safe work environment … a balancing act to be sure. So what happened?

The event leading to Blankenship’s conviction was an explosion at Massey’s Upper Big Branch coal mine in April 2010, killing 29 workers … the worst US coal mining accident in 40 years. A subsequent independent investigation condemned Massey for multiple failures to meet basic safety standards, operating “it’s mines in a profoundly reckless manner.” According to this independent investigation, Massey neglected safety precautions for the purpose of increasing profit margins. Thousands of safety violations at the Upper Big Branch mine in the years prior to the explosion certainly appear to support this conclusion. Blankenship was ultimately charged with conspiring to violate federal safety laws and making false statements to investors and regulators. He was subsequently convicted of the conspiracy charge. In handing down his sentence, the presiding judge said Blankenship had abused the trust of Massey’s shareholders, its officers and its employees by putting profits ahead of safety.

So by now,  you may be asking what does this have to do with cyber security and more importantly ... you?

This illustration demonstrates the importance of balancing a return to shareholders while also providing a safe and secure work environment. Think of the Flying Wallendas, just like them, you’re constantly in motion to maintain balance. Lose balance and the result can be devastating! Our world is constantly changing so there are many factors involved in balancing profit and work environment.  Focusing on cyber security may reduce some of our profit margins but if not considered it may devastate our work environment and ultimately our company. So, pick up the balancing pole because whether you know it or not, you are on the high wire!  Think it through.

By Greg Hudson, PE 

Tuesday, February 13, 2018

We're  too Small for a Cyber Security Policy.... That's for Large Companies

Judy who was a consultant for a local industrial controls company picked up the memory stick that was beside her laptop and downloaded the latest programmable logic controller (PLC) software updates for the county water department's automated lift station.  She needed to get the updates to them that morning for their startup later in the week.  With the file in hand she made the 10 minute drive over to the plant and checked in as she always has so that she could do her work.  Escorted by an employee of the company she made her way to the plant floor and proceeded to download the new software into the PLC that was presently offline. 

Her company had a contract to maintain the PLC and its software after designing the original system, so whenever there were updates she would come on site and download the updated software prior to equipment startup.  This contractual agreement saved the water company from maintaining an automation engineer on staff, and the company was very good which had been beneficial for  them until today.   But, today, at startup the pump drives went to maximum speed on initial startup and overloaded the electrical circuits!  On each startup attempt this occurred and after some analysis it was determined that a virus was in the program.  Sadly, the memory stick that had been picked up in her office had had a virus.  Unfortunately, the water company didn't have an industrial security policy which would mandate how their company would design, implement, and/or start up their automation equipment.  And, now, they suffered monetary loss in equipment, re-design, and a delayed startup.

Fortunately, the above scenario was fictional but it very feasibly could have occurred as I have been to plant sites and witnessed similar occurrences of plants not having cyber security policies in place for their industrial automation control systems (IACS).   First of all, it's perfectly understandable to have a consulting company do the automation work on the PLC equipment since they are the most experienced with working with it and may have all of the engineering credentials.  But, if the water company had had a cyber security policy the above fictional scenario could have been avoided.  A cyber security policy is NOT something just for large corporations any more.  A cyber security policy doesn't have to be an elaborate document as it can be a simple one that does state  how the company and all of its employees, vendors, and visitors are to work to assure that the automation equipment, its software, and its networks have minimal cyber security risks based on the company's business case. 

For example, in our fictional scenario a cyber security policy for this company would have included direction on how a industrial automation vendor is to work with the company to assure minimal cyber security risk,  So,  the policy item may have been as follows:
  • The water company will have a procedure for all vendors to make sure  there is a common protocol when working on plant industrial computers to assure that all new or revised software is downloaded to the PLC assuring that there is minimal risk to the automation equipment   
A cyber security policy that is supported by management can provide proper direction so that everyone who is at the plant is working together, similarly, and consistently to minimize risks that are associated with cyber security based on the company's business case and industrial automation assets.  A policy is the first step in developing an effective cyber security IACS program, so no company is too small to have a policy that  protects the safety of others, their employees, and their critical assets.  

We will address developing an effective IACS cyber security policy in future blogs.  Please join us. 
By:  Meredith Allen, PE, PMP, CEH

Thursday, February 1, 2018

Are You A Cyber Security Gambler?

How you answer this question is at the heart of your IACS cyber security strategy, but first, let's analyze the question.

What is a gambler?  Well, the Oxford English dictionary defines "gamble”  as “taking a risky action in the hope of a desired result” or alternatively, “a risky action undertaken in the hope of success.”  So, with this definition there are two key themes:

      (1)   The uncertainty of the outcome; (i.e., “risky action”) and
      (2)   The outcome being beyond the action taker’s control or influence (i.e., “hope” of a positive outcome).

Therefore, a gambler can be viewed as someone who makes a  “risk-reward” decision; with the reward being the “desired result” or “success” and the risk being the amount (or lack) of control or influence the gambler's actions have on achieving the reward.  There is a lack of control that one who is a gambler would have over the outcome. 
The risk is determined by the specific actions undertaken to achieve the reward; with potential actions ranging from inaction (after all no decision is a decision) to “spare no expense".  If you gamble with your IACS cyber security strategy by not taking control to assure a positive outcome, then there is the increased  risk of an IACS cyber security incident (i.e., "risky actions"). .And you are essentially being a cyber security gambler. 

There is no one size fits all risk-reward definition so answering the gambler question requires a very clear understanding of what reward(s) you seek and what action(s) you’re willing to undertake to achieve the   reward(s). Beware; these seemingly simple considerations may not be as easy as they sound so in the future we’ll explore some common pitfalls.

In the meantime, what do you think? Are you a cyber security gambler?

By Greg Hudson, PE 

Thursday, January 25, 2018

What's It Going to Cost You?

A constant issue with Industrial Automation Control Systems (IACS) is that the company's security personnel complain that there is not enough funding to properly implement an effective cyber security program.  So, as companies are beginning a new year, this is a good time to revisit your 2018 budgets to make last minute adjustments and ask if Cyber Security is adequately funded for the risks that you face?   Maintenance costs, marketing, and new accruals possibly will have more monies due to our familiarity with these important business structures.  Cyber security is an unknown and may show up in the budget only due to a security director's insistence.  And, how do we really know what to budget?

Cyber security is making the news and making the headlines which means that its getting closer to us every day.  And, what will be the outcome of the company it has just one incident....could it mean a catastrophic event that could harm individuals,  or costs us millions of dollars, or ruin the company's reputation?  Any one of these could devastate the company that has thoughtfully put together a meaningful budget with the intent to grow the business.   This could be the year that a cyber event occurs and are you ready?  And, do you know what it's going to cost you if it does occur?

Maybe, this year look beyond the normal spreadsheet and make sure that there are line items in your budget for cyber security that include:  

  1. Cyber security compliance and appropriate security controls (costs to meet the company's existing security policies and practices)
  2. Cyber security expertise (Cyber security is changing daily so plan to have audits and assessments of your business by 3rd party auditors to assure that you are secure).  An early audit could provide you an estimate of the required budgeted amount for your cyber security needs. 
  3. Cyber security talent - It is imperative to have a good cyber team that includes: process controls engineers, security professionals, operators, maintenance personnel, and management.  At least 2 of these team members needs to be very proficient in regards to cyber security, process controls, and the policies and standards for your company's industry. Allow monies to assure you have the talent to protect your company.
Companies need to be proactive and plan for cyber security to make sure that the company is protected because just like the company needs fire extinguishers, smoke detectors, and sprinkler systems, etc. to protect against fire, the company also needs to plan accordingly for cyber security.  Recovery costs which are the expenses associated with a cyber event will be much lower if the above line items are included in your annual budget especially if the company has followed its own security policies and industry standards.  Being proactive in regards to cyber security and depending on the company's recovery plan from an event can not necessarily assure that including budgeted line items will definitely result in lower recovery costs but it will put your company in a better position to avoid cyber security recovery costs which can debilitate your company.

By Meredith Allen, PE, PMP, CEH