Starting up a security program can appear daunting, but in reality, it doesn’t have to be that way. Just look across the room and embrace the years of risk mitigation expertise conducted by a comprehensive safety program.
The fundamentals of cyber security and safety are the same: asset owners’, system integrators’ and suppliers’ need to answer three simple questions:
1. Do we understand what could go wrong?
2. Do we know what systems we have in place to prevent this from happening?
3. Do we have the information to assure us they are working effectively?
But should security and safety programs be merged? Does aligning cyber security with process safety security reduce risk? Are companies already combining the disciplines?
FOR MORE INFORMATION:
• Take a Safety and Security self assessment
• Webcast: Does Aligning Cyber Security with Process Safety Reduce Risk?
• Webcast: Experts discuss aligning Cyber Security with Process Safety survey
These are among the issues Schneider Electric raised in a webcast and a related survey of asset owners, system integrators and suppliers. The survey results contained valuable insight on how well security and safety professionals understood each other’s disciplines and how they might best collaborate going forward.
Do control and safety teams contribute to cyber security strategy?
When asked does the control and process safety team contribute to the industrial automation cyber security strategy, 85 percent responded in a positive fashion with 38 percent saying yes and 47 percent saying to a certain degree.
“While 85 percent say they are working together in some form, as awareness converts to action in the future, I am sure the ‘yes answer will be much higher than 38 percent,” said Gregory Hale, editor and founder of safety and security web news portal ISSSource.com one of the participants in the webcast.
Steve Elliott, senior director of safety systems at Schneider Electric, also part of the webcast, said part of the challenge is safety and security professionals have their own languages, which may be foreign to each other.
“The understanding of the fundamentals, the basics, is missing,” he said. “We need to have a conversation. It could start by everyone taking the time to understand each other’s issues. It is much easier when everyone is talking the same language.”
Emulating vigilance of safety
When asked if users were employing a security program that emulates their safety program, almost 60 percent are either emulating or working on bringing the safety and security teams together. On the other hand, just over 40 percent don’t have the teams on the same page.
“With process safety we have been following a systematic approach. The use of standards has matured and we are now in a better position than we were to bring the two together,” Elliott said. “The expertise and knowledge and the people side of it from safety is there. Use that to unlock it from a security point of view. The fundamental basics are the same, we are still understanding hazards, causes, consequences, likelihood, severity, and impact, by putting systems, measures, procedures, people, and training in place to manage them.”
Emulating the vigilance of safety in a security program not only keeps the environment safe, but it also keeps systems running.
“Not only will safety and security programs protect operational integrity, it will, through the use of greater discipline, allow for increased uptime which allows for greater productivity,” Hale said.
Role of standards
Standards supply an excellent framework and starting point for any safety or security program and the survey found 68 percent were either very informed or informed about the IEC 61511 safety standard, while 22 percent heard of it and 10 percent didn’t know. From a security perspective, 34 percent were very informed or informed about the IEC 62443 standard, while 44 percent heard of it and 22 percent didn’t know.
“With safety being so mature, I am a little surprised that only 70 percent of the respondents knew about the IEC61511 process safety standard,” Hale said. “It is also a little surprising that, with the security awareness in the industry so high, 66 percent of respondents have either just heard of the standard or do not know about it. Standards provide such a good foundation to build a program that you would think there would greater awareness.”
“The good news is the community and the media are bringing the two areas together. The 61511 standard is relatively mature and 62443 is relatively new. When you look at 62443, 80 percent were aware of a new and evolving standard. There is a difference, however, in being aware and how to apply it. That is the challenge,” he said.
What’s driving cyber security and process safety?
When asked what was driving compliance with safety standards 46 percent of the respondents cited operational excellence. 20 percent cited regulations and 15 percent said security.
“It is all about understanding the risk, the hazards and threats and how we mitigate them,” Elliott said. “The threats are now different than they were 10 years ago. From a safety perspective, we have more mature standards, more knowledge, more information, more people, and more expertise but you can argue that we can still do more. We still need to challenge ourselves to get better. The same question goes to security. Is it real, is it a lot of noise? How do we justify the safety and security investment? Is it another cost to the business or can we use this to improve continuous operation.”
On the security side of the question, the top and bottom answer change place: 54 percent said security was the prime driver, 17 percent said it was regulations and 15 percent cited operational excellence.
“Security today will be much different in a year. It will continue to grow and advance. It is a never-ending solution,” Hale said. “Due to the nature of cyber security, industry professionals today are kind of in a state of shock at the enormity of the task. They are in a reactive mode, where vigilant safety program, for the most part, is a bit steadier and a bit more predictable.”
When asked about safety and security training, it was clear there was a higher level of training for safety programs than for security.
“It is not just about technology it is about people and processes,” Elliott said. “Safety programs focus heavily on skills and competencies and the standards are calling for placing more emphasis on that. From a security perspective, you can harden the technology and make it more robust and minimize the vulnerabilities, but a human can come along and change it in a moment. If there were a step change we could make in everyday life, where we have a security moment like we do safety moment, we could ingrain security in people’s behavior.
“Security technology is pretty solid for handling threats, but people are not getting the training to use it properly. The same goes for understanding the process,” Hale said. “Companies may have rules and regulations, but people are not getting the training to fully understand their role in the whole security program.”
Frequency of risk and threat assessment
When asked how often they assessed security risks and threats. The majority didn’t know. For how often they assessed safety risks and threats, “annually” and “every five years” were the strongest responses.
“From a security perspective, you don’t know what you don’t know,” Elliott said. “The good news is standards are developing and these give the tools to do an assessment. Everybody should be able to answer the first question called out above: What could go wrong? From a safety perspective there is a relatively mature established cycle.”
“The fact most people did not know how often they assessed security risks and threats is more evidence that safety and security need to work together,” Hale said.
“The world is changing at a fast pace and the risks are very different today than they were five years ago,” Elliott said. “The security and safety picture is like a jigsaw puzzle and collaboration is key. No one stakeholder has all of the answers, but there is a growing wealth of information available. It is only when we bring the pieces together and look at them in their entirety can we see the overall picture. This is a great indication we are moving in the right direction.”