Changing the way we think about Security

  • November 10, 2011
  • Feature
November 2011
Rick Kaun, Honeywell Process Solutions
Security in its current state suffers from the wrong name and, therefore, the wrong reputation.
This is a problem that plagues all of the process industry – security is thought of as physical protection against intrusion or the detection of hackers when, in fact, little thought is given to the security threats that exist inside the fences of any given facility. In reality, security is trying to ensure safe, reliable, expected operation of facilities and protection from all threats, including those inside a plant’s perimeter. 
If we look at the example of the North American power industry’s creation, adoption and enforcement of its regulatory requirements—the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards—we can learn a lot about how to approach cyber security in all industrial environments. And one of the main lessons is that we need to change the way we think about implementing a security program. 
Too often plants believe that they are secure strictly because they are compliant or follow the letter of regulations. However, dangers like Stuxnet show that more dangerous threats exist internally and are prime examples of how facilities that don’t tie in a philosophical shift on how they view security can be susceptible to problems. A change in behavior – the willingness to think beyond compliance and accept security as a philosophy – is necessary to implement a truly reliable security program that will ensure organizational support long-term.
Power Industry and NERC CIP Compliance
In August 2003, North America experienced perhaps the largest power outage on record. This event, in conjunction with the events of Sept. 11, 2001, created the impetus for precursors to the NERC CIP standards and subsequent enforcement, which was phased in over several years.
One mandate of the regulations is that an organization must use a “risk-based assessment methodology” to identify its critical assets. A risk-based assessment is based on a consideration of a combination of likelihood and impact. NERC guidelines have further instructed the industry to assume that the likelihood of threats and vulnerabilities always exists, leaving only the impact portion of the equation as requiring analysis.   
Unfortunately, many companies fell into the trap of using this mandate as a way to exempt large sections of their facilities as non-critical. This trap opposes the spirit of NERC CIP, which is intended to increase the overall stability and reliability of each facility with respect to cyber threats. Adopting this mantra makes it easier to consider things as “non-critical.”
Power companies have been able to exempt large portions of their facilities from full NERC CIP compliance, but doing so points to real day-to-day risks of operation, which exist regardless of terrorist or other targeted, motivated attack vectors. This type of behavior, though, is not limited strictly to power generation facilities. In fact, it’s a template that can be recreated across virtually any industry.
What plants need to consider are the risks associated with a far more probable threat vector—inadvertent, non-malicious behavior that introduces threats to network security. There is a very high likelihood that the majority of companies are going to be hit by this kind of unintentionally negligent behavior many times and long before they are the victims of targeted attacks. It is the average user already at work in trusted situations and locations at a facility that will likely cause an organization to fail to operate reliably. Security conferences and presentations are full of examples of the well-intentioned vendor with a virus on his laptop, or the honest but unenlightened employee who clicks on the wrong page, email or attachment. Companies are rife with users who circumvent security policy without understanding the repercussions and risks they are introducing.
Companies need to rethink the end goal of compliance. The majority of facilities appear content to limit themselves to satisfying the letter of their current regulations or standards. What is needed is a willingness to think beyond the bureaucracy of compliance to embrace the realization that cyber security is really about ensuring safe, reliable, and expected system behavior. With this new mindset, companies will quickly recognize that cyber security has an immediate, day-to-day relevance far beyond any unformed threat of cyber terrorism, and their willingness to exempt themselves from compliance will diminish.
The power industry provides an example of one industry’s response to network security regulations and a regulator’s move to reinforce the original intent of their standard. The decision to substantially revise the criteria used to identify facilities that require a comprehensive cyber security program points to the need for a change in conventional thinking. By recognizing cyber security’s crucial role in the reliability and robustness of the very networks our critical applications run on, what emerges is the wisdom of implementing a baseline security model across facilities, regardless of industry, to increase the likelihood of safe, reliable operations and minimize potential security incidents. With this emphasis on safe, reliable operations of facilities – and the implications of this for environmental regulations – we quickly see how cyber security is destined to become entrenched in process control industries in much the same way as the culture of safety has over the last decades. In light of the unavoidable move towards increased regulation, the argument against implementing cyber security becomes really just a discussion on how to postpone the inevitable. And delay can have serious repercussions for the success and cost of an effective security program.
Benefits of a Long-term Security Strategy
Embracing a security philosophy and developing a long-term strategy for its implementation, regardless of any current or impending regulatory requirements, allows an organization to plan a security rollout that will succeed in terms of its effectiveness, employee support and financial cost.
Building a security program over time and with the involvement of multiple work disciplines supports the creation of a program that truly protects your organization and ensures its safe and reliable operations. This phased approach allows time for trial and error and to incorporate lessons learned into your security program. This approach also positions your organization well once a regulatory standard is mandated for your industry. The company that builds security best practices over time into their everyday project list has only a small step to close the gap to full compliance.
Long-term planning also has the advantage of allowing organizations to introduce and socialize the concept of security over time. Implementing a security program requires far more than simply installing technology and turning it on. If employees are not familiar with, or do not support the security program’s concepts and controls, they will not implement them. And without active support and endorsement of a security program, the results will not achieve the desired level of security.
From an economic standpoint, long-term planning provides flexibility in terms of spreading the cost and effort over time and other budgets and initiatives. For example, a detailed inventory of cyber assets is a fundamental building block for any security program. This information could be gathered during the regular day-to-day interactions of users at plant facilities, or perhaps an inventory program could be planned and assigned to summer students. Planned upgrades to assets and units could incorporate the future needs of a security program and include small additions like domain controller builds or network equipment upgrades. In this way, the information and infrastructure required to support a security program can be built over time. 
The economic rules of supply and demand also support the long-term approach. As the impetus for security programs grows and more regularly becomes mandated by enforcement laws, there will be companies that scramble, thereby skewing the supply and demand balance and driving up the price – and diminishing the availability – of necessary hardware, software and services. Planning and executing with sufficient time frames in mind will minimize the cost impact.
It is time to embrace the concepts of implementing security controls and adopting preferred controls within a manageable time frame. A philosophical shift is required in order to move forward and implement a truly manageable, scalable security program that will contribute to the safe and reliable operation of a facility’s critical infrastructure. Holding out to the end will not only mean delaying effort, but may also seriously affect the success of a security program and the cost to implement it.

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..