Have companies taken information security risks of their process control systems into account in their overall risk evaluations?

January 8, 2016 at 10:30

IT and automation systems have traditionally been kept separate, both technically and administratively. While data administration has been responsible for the design, management and maintenance of IT systems, the automation team has assumed the same responsibilities for automation systems. However, these two separate areas have been integrated into each other at an increasing pace over the past twenty years.

Both system suppliers and users of automation technology have expressed need for changes. This development has originated, for example, from cost savings presented by the use of standard IT and requirements of the business management to obtain real-time data.

Information security has been taken into consideration in IT environments for a long time now. For more than a decade, the IT field has defined standardized practices that have been developed and updated many times over. However, companies are not fully able to take information security risks into account in their overall risk evaluations when it comes to automation systems. One reason for this may be that, traditionally, information security has been, and still is in many cases, the responsibility of the IT group. Good practices and tricks of the trade have not been passed from IT to automation teams, mostly because those responsible for information security have not had proper authorizations in production environments. This is the situation many companies are facing, even though IT is currently being used extensively in process control.

What happens when a process control is guided to operate incorrectly or maliciously?

This raises the question of whether your company has assessed the impact of digital process control systems on business operations and continuity. From the point of view of process plant operators or maintenance employees, it is insignificant whether the inoperability of a machine or system is caused by ordinary breakage or an information security incident. The risk evaluation of process control systems has traditionally focused on the question does it work or does it not work; as such the impact on the process has been assessed in terms of machine breakage. Usually, maintenance strategies and plans have also been planned from the same viewpoint. This traditional approach is a good starting point as such, but it lacks one significant situation: the incorrect, unplanned or malicious operation of a system.
For this reason, I would like to challenge companies to evaluate the possible consequence of intentionally guiding control system operated process actuators to operate incorrectly. When all possible consequences are known, it is possible to evaluate how business operations would withstand such a situation, and to plan and evaluate available protection measures accordingly.