Tuesday, February 13, 2018

We're  too Small for a Cyber Security Policy.... That's for Large Companies

Judy who was a consultant for a local industrial controls company picked up the memory stick that was beside her laptop and downloaded the latest programmable logic controller (PLC) software updates for the county water department's automated lift station.  She needed to get the updates to them that morning for their startup later in the week.  With the file in hand she made the 10 minute drive over to the plant and checked in as she always has so that she could do her work.  Escorted by an employee of the company she made her way to the plant floor and proceeded to download the new software into the PLC that was presently offline. 

Her company had a contract to maintain the PLC and its software after designing the original system, so whenever there were updates she would come on site and download the updated software prior to equipment startup.  This contractual agreement saved the water company from maintaining an automation engineer on staff, and the company was very good which had been beneficial for  them until today.   But, today, at startup the pump drives went to maximum speed on initial startup and overloaded the electrical circuits!  On each startup attempt this occurred and after some analysis it was determined that a virus was in the program.  Sadly, the memory stick that had been picked up in her office had had a virus.  Unfortunately, the water company didn't have an industrial security policy which would mandate how their company would design, implement, and/or start up their automation equipment.  And, now, they suffered monetary loss in equipment, re-design, and a delayed startup.

Fortunately, the above scenario was fictional but it very feasibly could have occurred as I have been to plant sites and witnessed similar occurrences of plants not having cyber security policies in place for their industrial automation control systems (IACS).   First of all, it's perfectly understandable to have a consulting company do the automation work on the PLC equipment since they are the most experienced with working with it and may have all of the engineering credentials.  But, if the water company had had a cyber security policy the above fictional scenario could have been avoided.  A cyber security policy is NOT something just for large corporations any more.  A cyber security policy doesn't have to be an elaborate document as it can be a simple one that does state  how the company and all of its employees, vendors, and visitors are to work to assure that the automation equipment, its software, and its networks have minimal cyber security risks based on the company's business case. 

For example, in our fictional scenario a cyber security policy for this company would have included direction on how a industrial automation vendor is to work with the company to assure minimal cyber security risk,  So,  the policy item may have been as follows:
  • The water company will have a procedure for all vendors to make sure  there is a common protocol when working on plant industrial computers to assure that all new or revised software is downloaded to the PLC assuring that there is minimal risk to the automation equipment   
A cyber security policy that is supported by management can provide proper direction so that everyone who is at the plant is working together, similarly, and consistently to minimize risks that are associated with cyber security based on the company's business case and industrial automation assets.  A policy is the first step in developing an effective cyber security IACS program, so no company is too small to have a policy that  protects the safety of others, their employees, and their critical assets.  

We will address developing an effective IACS cyber security policy in future blogs.  Please join us. 
By:  Meredith Allen, PE, PMP, CEH

Thursday, February 1, 2018

Are You A Cyber Security Gambler?

How you answer this question is at the heart of your IACS cyber security strategy, but first, let's analyze the question.

What is a gambler?  Well, the Oxford English dictionary defines "gamble”  as “taking a risky action in the hope of a desired result” or alternatively, “a risky action undertaken in the hope of success.”  So, with this definition there are two key themes:

      (1)   The uncertainty of the outcome; (i.e., “risky action”) and
      (2)   The outcome being beyond the action taker’s control or influence (i.e., “hope” of a positive outcome).

Therefore, a gambler can be viewed as someone who makes a  “risk-reward” decision; with the reward being the “desired result” or “success” and the risk being the amount (or lack) of control or influence the gambler's actions have on achieving the reward.  There is a lack of control that one who is a gambler would have over the outcome. 
The risk is determined by the specific actions undertaken to achieve the reward; with potential actions ranging from inaction (after all no decision is a decision) to “spare no expense".  If you gamble with your IACS cyber security strategy by not taking control to assure a positive outcome, then there is the increased  risk of an IACS cyber security incident (i.e., "risky actions"). .And you are essentially being a cyber security gambler. 

There is no one size fits all risk-reward definition so answering the gambler question requires a very clear understanding of what reward(s) you seek and what action(s) you’re willing to undertake to achieve the   reward(s). Beware; these seemingly simple considerations may not be as easy as they sound so in the future we’ll explore some common pitfalls.

In the meantime, what do you think? Are you a cyber security gambler?

By Greg Hudson, PE