Finding someone to say that security doesn’t matter is a challenge. Those few that actually still remain in the dark today haven’t knowingly experienced a security problem or have either been living under a technological rock or simply do not understand the whole scope of what security challenges exist. While most would say that security is a problem and they want to protect our assets, businesses, and infrastructure, taking the next step is often hindered by the questions of “what to do” and “who will pay for it?”.
Luckily, “what to do” is becoming much clearer in automation environments. Standards activities such as ISA-99, NIST 800-53, NERC CIP, and a whole host of others are defining much more about the practices needed to manage security. One thing these standards can’t completely do, however, is make businesses decide to spend money on security. They can help, but at the end of the day, legislation notwithstanding, there is nothing that decides for a company that they must actually allocate funding to improve security. The previous models of security have often been around “compliance” and compliance comes with the challenge of a “check the box” mentality. Not wanting to be bothered by the complexities, many organizations just check the box and rush through, only spending what they have to for compliance, and then move on. The legislation becomes outdated, the practices go away, and security challenges still lurk. There is clearly a need for a new model.
Significant research is being done by many government organizations as well as commercial entities such as Wurldtech in the area of security performance. Determining metrics, performance based measures, and other disciplines that help move security and business protection into a benefit based security model. While IT security has tried for many frustrating years, and will continue to try to come up with benefit driven models, there is something interesting within the automation spaces: benefit driven security is possible.
Some readers may have seen talks I have done on ROSI (Return on Security Investment) in the past. In these I talk about the blend of intangible (risk) and tangible (measurable) numbers. Risk is hard to measure as you are often trying to prove a negative. Lack of evidence of the event can often mean either there was no attempt, or the security measure worked. Management often calculates a spreadsheet column and sees lower losses due to security but may not correlate them to actual improvements, just less problems. The tangible number can be difficult to prove, however.
The coming months will hopefully generate much discussion in this area. Companies such as Wurldtech are working to change this, as well as many other organizations and standards bodies. But there are some things asset owners can do now: Awareness, Implementation, and Monitoring.
Awareness
Paramount to securing funding from management is that they have to be aware of security problems. In the physical arena, this is often not difficult. Theft, vandalism, break-ins, etc are all easy to track. Cyber is much more difficult. Even if they SEE the hack on the screen, if someone doesn’t understand computers they won’t understand it’s a hack. This is where device testing tools such as Achilles can really change the game. Now management and others don’t have to guess, they can see the potential failures in front of them.
Implementation
Utilize the services of experienced security professionals and industry recommended practices from standards bodies. All too many try to “go-it-alone” only to be hindered by normal daily challenges, lack of direction, or challenged by internal politics. Even short term engagements with knowledgeable personnel can quickly break down these barriers and position you for success.
Monitoring
This is where continued improvement is critical to success, and results must be measured to continue. Industrial Automation has several areas of interest:
- Uptime/Downtime Analysis: Understanding root causes behind line failures including network problems, configuration management, user errors (preventable ones), and other issues. Security measures often can be implemented to quell such problems. Online configuration management tools, better policies, access control, all of these have dual benefit of not only protecting against security threats but also in lowering likelihood of unintentional failures.
- OEE - Overall Equipment Effectiveness: Measuring performance, availability, and quality, this measure seeks to understand at an equipment level the theoretical max output and how far below that a line or process is performing. The factors that make up OEE can be analyzed to understand why failures are occurring. Most organizations that utilize OEE as a metric can state at a moment’s notice the value of a single percentage point increase or decrease in OEE to the organization. Finding “dual-benefit” factors that are security problems but also hamper line performance (such as network failures and application downtime), will lead to performance based security measures.
- Planned vs. Unplanned Maintenance: On a machine by machine basis, understanding the balance between planned (good) and unplanned (bad: downtime) maintenance can drive users to look at how to be more effective in preventing machine downtime. Security measures that prevent unauthorized changes such as machine speed, electrical settings, dangerous shortcuts in procedures, or violating logic states of a controller can lead to security and process benefits.
This has been a long blog post, but it is clearly a matter that deserves some attention. Asset owners that can find ways to measure the benefit of security can find ways to justify to management why improvements need to be made, and then go improve the business. Security does not have to be simply a “cost center” for automation, but can indeed be used as an operational improvement tool. Luckily for automation, there are established and well understood measures such as the above that deserve a second look as to how they can help justify and demonstrate business improvement.
For more information on OEE, please visit
http://www.oee.com.