Industrial Cyber Security Compliance & Enforcement

  • December 16, 2013
  • Feature

By Bill Lydon, Editor

Cyber security is now becoming a hot topic with users and vendors of industrial automation systems. The big question is, "Will companies make cyber security investments without legal enforcement?"

ISA’s Automation Week 2013 hosted an Executive Panel on cyber security challenges for industry in Nashville, TN on November 6, 2013. Brigadier General Rudolf Peksens, who is retired from the US Air Force, moderated the panel. General Peksens told the audience that the automation business is involved in cyber security conflicts whether we want to be or not. He framed the situation that industry now faces the “bits and bytes” of IT systems, which have been weaponized and are penetrating critical networks at will. The threat is significant, documented and growing.

U.S. Federal Government

Samara Moore, National Security Council, Director for Critical Infrastructure, discussed cyber security and reinforced the compelling cyber threats across the United States and the world. She noted that the threat is becoming broader and more diverse. As we continue to leverage technology for efficiency and productivity, we require more system connections that increase the exposure to cyber threats. In addition, the threats are becoming more sophisticated and increasingly more dangerous. Moore spoke about the U.S. Presidential Executive Order 13636 that was announced in President Obama’s 2013 State of the Union address and signed on February 12, 2013.  The Order calls for the development of a national cyber security framework that includes “standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks,” and “help owners and operators of critical infrastructure identify, assess, and manage cyber risk.” The National Institute of Standards and Technology (NIST) and the U.S. Department of Commerce are charged with developing the framework and engaging the private sector in guideline development.

On October 28, 2013, NIST released a preliminary cyber security Framework. On October 29, 2013, NIST announced a 45-day public comment period on the preliminary Framework in the Federal Register. Comments were due by December 13, 2013. The goal is to motivate and drive industry to action resulting in system and network security and resiliency. The intent is to develop a technology neutral voluntary cyber security framework.

The Automation Federation, part of the International Society of Automation (ISA), has been deeply involved in the workshops and the ISA99 standard is cited in the preliminary cyber security Framework as a key standard. The ISASecure Embedded Device Security Assurance (EDSA) certification program is currently available. A few leading suppliers have certified their automation controllers to this standard, but many others have not.

Moore also discussed efforts that are exploring possible incentives for companies to implement cyber security, including federal procurement and grant incentives.

Thoughts & Observations

It appears to me that building cyber security compliance and culture has a strong similarity to the application of training, best practices, devices, systems, and procedures needed to meet plant/machine safety goals and requirements. Today, it easy to forget that it took the force of law and the threat of fines to foster a culture of safety investments and industry practices. Remember that the United States government established the Occupational Safety and Health Administration (OSHA) under the Occupational Safety and Health Act, signed into law December 29, 1970. OSHA was empowered to levy fines for non-compliance and, over many years, safety has become ingrained in the industry. Ultimately, industry started to reap the returns from safety systems and understand the value, including increased productivity. Hopefully, industry professionals have matured enough to embrace cyber security measures and reap the benefits.

Brigadier General Rudolf Peksens voiced his concerns about the possibility of a cyber Pearl Harbor if industry does not act. I certainly share those concerns. After following cyber security issues for a long time, I believe the “big game” has not started yet. Adversaries are just learning, poking and gathering data. Winners of classic military battles generally get good reconnaissance and probe at their opponents’ defenses before launching major attacks. To carry the war analogy further, there are typically campaigns with many battles.

Users and vendors should not be over confident about their cyber protection without kicking hard against their products and systems. I have not been seeing new industrial controllers, software, and networking protocols that are inherently designed for cyber protection and mitigation. The answers today are add-ons, firewalls, and services that have their place in the scheme of things.

Please share your thoughts in our LinkedIn Discussion Group.

Related Articles

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..