By Gregory Hale
Safety protects man against machines and security protects machines against man. Having said that, safety and security share similarities in how users need to approach each discipline.
With security awareness on the rise, professionals are attempting to piggyback onto the safety movement to capture not only awareness, but actual action to ensure a secure operating environment much like safety.
“These two areas are similar,” said Steve Elliott, a safety expert and senior director – marketing at Schneider Electric Wednesday at the Schneider-Electric 2015 Global Automation Conference in Dallas. “We need to think about security the same way that you do about safety. They are stronger together and more similar than different.”
As Elliott said when the session started up, Schneider knows how important safety and security are so they dedicated a good chunk of the second day of the conference to the topics.
Elliott said there are three questions anybody has to ask when it comes to a safe or secure environment:
1. Do you understand what could go wrong?
2. Do we know what the systems are to prevent this from happening?
3. Do we have information to assure us (the systems) are working effectively?
When it comes to understanding what could go wrong, Scott Mourier, senior PA specialist and SIS Coach at The Dow Chemical Company, could speak from experience.
“The safest plant in the world is one that doesn’t start up, Mourier said. “After doing a risk analysis it falls on the company to decide how much risk it can tolerate. Once they do that they can mitigate out the risk.”
The whole idea is to understand what assets you have at the plant, conduct a risk analysis and then assess the risk appetite moving forward.
This is also where safety and security end up related.
“If you take the word safety out and add in security, then you have the same thing,” said Andre Ristaino, managing director of the ISA Compliance Institute. “The only difference is we don’t have 35 years of experience. We do have, however, standards like IEC 62443 to address product security.”
When looking at if we know what the systems are to prevent an incident from happening, the panelists agreed that testing system hardware and software repeatedly to gain certifications is vital.
“We have to make sure everything is working properly before any chemical starts flowing,” Mourier said. “We have a structured systematic approach to safety.”
“A starting point is understanding site requirements and then find out security assurance levels,” Ristaino said.
He added there needs to be detailed software design and testing and there also needs to be:
• Asset discovery scan
• Communications robustness test
• Network stress test
• Vulnerability identification test
“Most upsets are internally driven, so it is important to test all entry points,” Ristaino said.
Elliott also brought up the classic security scenario of the IT versus the OT question about the two areas working together. That has been a heated issue for a long time, but as of late it has been getting better as both sides are starting to understand boundaries.
Mourier just laughed when asked if working with IT was a problem.
“It shouldn’t be, but it is,” he said. “A lot of times we work in silos. Sometimes they speak a language I don’t understand.”
Elliott then brought up what he called the most important question about having enough information to assure everyone the systems are working effectively.
“That is the challenge,” Mourier said. “When a system is running in a steady state, the system is safe. The problems occur when there is an upset.”
He said if a part of the safety plan is to test equipment on a regular basis, users have to make sure they do the test and don’t put them off because they are too busy. A delay of one day turns into a few days; that turns into a week, which then turns into a month, he said.
“The whole reason you do testing is so you can discover any problems,” he said. “If you delay testing, then you are going into a risk area.”
Users can have a plan and they can utilize the latest technology, but in the end it all falls down to people.
“People are the magic ingredient,” Ristaino said. “If you don’t have an educated workforce with good policies and procedures and the discipline, then you can have an upset. You need a security response plan, so if something happens you don’t start overreacting.”
“Incidents happen day in and day out,” Ristaino said. “Most incidents occur from a people aspect.”
“Sometimes we are our own worst enemy,” Mourier said. “Sometimes it isn’t a malicious attack; it is just a mistake.”