By Bill Lydon, Editor
Cybersecurity has been and will continue to be a major topic within the industrial automation market. With the wide range of cybersecurity implications come a wide range of technical solutions. Again at the recent Siemens Automation Summit held on June 23 - 26, 2014, at Walt Disney World's Contemporary Resort in Orlando, Florida, there were eleven sessions on the topic, each full of perspectives and information. Siemens and other vendors have introduced managed security services to help manufacturers protect systems and mitigate threats. The following are my thoughts on the topic.
Cybersecurity & Safety Similarities
Virtually every event that I attend includes presentations on cybersecurity. Many times the parallel to plant and machine safety is cited. There are clear similarities: both provide a protection function and require technology, training, best practices, systems, and procedures. If cybersecurity follows the same course as safety, it may take many years for automation systems to become fully focused on cybersecurity; the safety culture took years to develop. The force of law and fines prompted a culture of safety investments and industry best practices.
The United States Occupational Safety and Health Act (OSHA) became law on December 29, 1970--more than 40 years ago. It took many years of OSHA inspections and non-compliance fines before safety became deep-rooted in industry.
Justification
Much like safety, it is hard to justify cybersecurity investments until companies look in the “rear-view mirror” and see disasters that have already happened. Management now understands the value of safety systems. Industrial safety measures are considered investments that ultimately save money by reducing disability pay, improving productivity, and increasing uptime. Investments impact today’s profits. There is a marked tendency for businesses to do as little as possible until prodded by laws and major disasters.
Hopefully, today’s manufacturers have matured enough to learn from our safety history and to embrace cybersecurity measures and reap the benefits.
Threats
Brigadier General Rudolf Peksens voiced concerns about the possibility of a cyber Pearl Harbor if industry does not act. Based on analysis and many discussions with experts, I certainly share his concerns. The victors of classic military battles generally probe their opponents’ defenses for reconnaissance and gain valuable information before launching major attacks. It seems obvious that adversaries, "bad guys," and spoilers are following that same process.
Wartime Security
During my career, I visited a number of military defense contractor sites that still employ the security measures used in World War II. In addition, the sites implement new measures to protect industrial machines and plants against unauthorized access, sabotage, espionage, and malicious manipulation. Industry should start thinking about cyber and physical protection in the context of wartime security.
Show the Corpse
For many manufacturers, cyber threats are not tangible and evident; however, that doesn’t mean they don’t exist. Asking management to make investments on cybersecurity measures based on the potential downtime caused by an attack is a tough sell. Management is presented with a wide range of other investment proposals that save money and improve efficiency. Many of those proposals improve an existing operation or process in an obvious way, making them a clear investment choice.
Convincing management to invest in cybersecurity is different, because it deals with a potential future event. Further complicating these decisions are the number of cyber incidents detected at manufacturers that have not brought down production. Automation professionals may need to be more dramatic in selling cyber protection to management. There is an old-school method of selling life insurance: the insurance salesman backs the hearse up to the front door and shows the family a corpse. The salesman then vividly paints a picture of what life would be like if the family’s breadwinner were to die before his/her time.
This sales approach emotionally engages the buyer by illustrating the future. My advice to many manufacturers would be to invest in a cybersecurity risk assessment, at a minimum. You might be surprised what you discover.
What do you think?
I am interested in your thoughts and experiences with cybersecurity. Please share them in our LinkedIn discussion group .
