By Larry Frenchwood CISSP, CISM, GICSP, CEH EnscoRowan – Lead Cyber Security Specialist IT/OT September, 2019
To better understand the relationship of safety implications of OT (Operational Technology) security, we must first explore the differences between IT & OT security.
Often times IT & OT security get bundled together as general cyber security. Nothing could be further from the truth. They are both very different in implementation, operation and architecture. IT computing environments are based on information and data. OT or Industrial Control System environments (ICS) are based on processes. These processes can involve or produce valuable data, but it’s the process that is the main component in an ICS environment. Protecting information is fundamentally different than protecting processes. They also can have different consequences. If the company loses data or information due to a cyber-attack or breach, the impact often can mean financial losses and or reputational damage. If the company losses critical processes, the impact could result in not only financial losses, but also loss of human life or damage to the environment. This leads us to the topic of this discussion. Why is OT Security just as important as Safety? For decades in OT environments, safety has been the #1 priority. No matter the industry, wherever ICS environments are present, historically safety has been the #1 driver in operations. Only in recent years has cyber security become a priority in OT, and this is mainly due to the increase of successful high profile cyber-attacks against ICS networks. In reality, cyber security has an ever increasing impact on safety, and it is for this reason that we need to marry safety and security. In this new era of inter-connectivity and growing business appetite for control systems data, it is imperative that we explore the evolving risks this brings into the picture. This can best be explained through an example of how cyber security can directly impact safety. Let’s say we are operating a production process that manufactures a product. Creating this product involves processes that combine chemicals at various stages of production. These chemicals must be regulated at certain temperatures before mixture in order to avoid serious chemical reactions. These temperatures are normally controlled by process logic controllers (PLC) which controls the equipment that regulates temperatures of the chemicals. Typically there are set points configured in the control system that provide the acceptable conditions for operating these processes. If the temperature exceeds the parameters of the configured set point, stop the process and alert someone. Safety systems can also be tied to these control systems to ensure the processes do not function beyond set limits. What if an attacker is able to modify or disable the safety systems and notifications? What happens if an attacker is able to manipulate the set points? They can essentially cause the system to allow temperatures in the chemicals that would cause a reaction that could also result in damage, or harm to people and or the environment. This would also lead to financial loss, reputational damage as well as potential legal liabilities. Now we begin to understand the importance cyber security in relation to safety in operational technology environments and especially for ICS. There are a myriad of examples you could apply that all potentially have huge negative consequences. I believe we have surpassed the days of elevating safety as the #1 priority for business or operations. In my opinion safety and security should be married to one another. You can’t have safety without security, and you can’t have security without safety. Both should be given equal priority from senior management in every organization. It is impossible to eliminate all risks, but it is completely possible to manage risks to acceptable levels. Providing robust and effective management of risks associated with safety and cyber security is essential for ensuring the company’s safe and effective delivery of products and services.