There is a lot of concern around cyber security in Industrial Control Systems. With new threats like Stuxnet and Flame, the perceived risk to critical infrastructure has increased dramatically. There are increased calls for legislation and new methods for dealing with these threats. The history of how we have dealt with similar risk issues around process safety tells us that there are two ways to address the issues with very different results. On the one hand, there is a prescriptive approach where you define the remediation that should be required. This approach might work in very well-defined systems where there is very little change in technology.
The other approach is to define functional requirements and set performance standards that need to be achieved instead of a specific solution. This approach allows users to fit the requirements of their industries, address the risks and changing threats they see, and to apply new and evolving technology as it is developed. In cyber security, similar applications cross a wide variety of processes, systems, and industries. Technologies change quickly and dramatically, and threats evolve daily if not hourly. Therefore, it is critical to approach the issues with as much flexibility as possible.
With increasing call for legislation, there are important lessons to be learned from our experience with process safety. Two things need to happen:
- Industry needs to move quickly to write clear but flexible approaches to addressing the risks of Cyber Security such as the effort being put forth in the ISA/IEC 62443 (formerly ISA 99 standard). This allows us to define best practices in a way that can be applied across many different industries, applications, and processes. Critical to this effort is the aggressive involvement of the industry’s end user experts. They are the ones that can drive the effort and ensure a neutral approach. To do that, they need the commitment and investment of their management to support their activities.
- On the legislation side, the need to prescribe a quick fix needs to be resisted in favor of a more functional approach like that taken by OSHA and EPA in addressing other process safety risks, or seen in the TSA pipeline guidelines where analysis is required but not specific solutions.