I was driving one of exida’s top risk experts from Europe to a business meeting. We parked and I locked the car door. He commented “I noticed you did not lock the car door when you parked at the exida office.” He was right. In an area I do not know, I always lock the car door. But not always in the exida lot. He added “A risk analysis will show car theft is a low risk due to random events, but remember cars are stolen by humans. These are not random events as we know them.” He added “A good risk return on investment analysis would show you should always lock the car door. The cost is so little, a few seconds. This is because the car designer designed in a good layer of protection – the door lock.”
Good thinking, I thought. Just like control system cybersecurity. Cyber-attacks come from humans. So our natural confidence built up from years of no events can be fooled. Some control equipment manufacturers understand that. They have designed in layers of protection on their safety PLCs, PLCs, and DCS control equipment. New embedded systems cybersecurity standards (IEC 62443-4-1, IEC 62443-4-2) are written and can be used now. Cybersecurity certification programs have been started and several manufacturers have completed a cybersecurity certification.