We're too Small for a Cyber Security Policy.... That's for Large Companies
Judy who was a consultant for a local industrial controls company picked up the memory stick that was beside her laptop and downloaded the latest programmable logic controller (PLC) software updates for the county water department's automated lift station. She needed to get the updates to them that morning for their startup later in the week. With the file in hand she made the 10 minute drive over to the plant and checked in as she always has so that she could do her work. Escorted by an employee of the company she made her way to the plant floor and proceeded to download the new software into the PLC that was presently offline.
Her company had a contract to maintain the PLC and its software after designing the original system, so whenever there were updates she would come on site and download the updated software prior to equipment startup. This contractual agreement saved the water company from maintaining an automation engineer on staff, and the company was very good which had been beneficial for them until today. But, today, at startup the pump drives went to maximum speed on initial startup and overloaded the electrical circuits! On each startup attempt this occurred and after some analysis it was determined that a virus was in the program. Sadly, the memory stick that had been picked up in her office had had a virus. Unfortunately, the water company didn't have an industrial security policy which would mandate how their company would design, implement, and/or start up their automation equipment. And, now, they suffered monetary loss in equipment, re-design, and a delayed startup.
Fortunately, the above scenario was fictional but it very feasibly could have occurred as I have been to plant sites and witnessed similar occurrences of plants not having cyber security policies in place for their industrial automation control systems (IACS). First of all, it's perfectly understandable to have a consulting company do the automation work on the PLC equipment since they are the most experienced with working with it and may have all of the engineering credentials. But, if the water company had had a cyber security policy the above fictional scenario could have been avoided. A cyber security policy is NOT something just for large corporations any more. A cyber security policy doesn't have to be an elaborate document as it can be a simple one that does state how the company and all of its employees, vendors, and visitors are to work to assure that the automation equipment, its software, and its networks have minimal cyber security risks based on the company's business case.
For example, in our fictional scenario a cyber security policy for this company would have included direction on how a industrial automation vendor is to work with the company to assure minimal cyber security risk, So, the policy item may have been as follows:
- The water company will have a procedure for all vendors to make sure there is a common protocol when working on plant industrial computers to assure that all new or revised software is downloaded to the PLC assuring that there is minimal risk to the automation equipment
A cyber security policy that is supported by management can provide proper direction so that everyone who is at the plant is working together, similarly, and consistently to minimize risks that are associated with cyber security based on the company's business case and industrial automation assets. A policy is the first step in developing an effective cyber security IACS program, so no company is too small to have a policy that protects the safety of others, their employees, and their critical assets.
By: Meredith Allen, PE, PMP, CEH