“If you look at cyber security from the enterprise perspective, there is no safety element. If, say, a Web server or a SQL server get compromised, you might lose data or you might have a financial loss, but nothing blows up, nobody dies and nobody gets hurt,” points out Bradford Hegrat, lead security consultant for Network and Security Services, at vendor Rockwell Automation Inc., in Mayfield Heights, Ohio. But that’s not necessarily the case on the plant floor.
“The reason we do cyber security is to have safe systems. Safety could be compromised by cyber-security vulnerabilities,” says Eric Cosman, an engineering solutions IT consultant at The Dow Chemical Co., Midland, Mich. That’s why the trend toward a closer alignment between safety and security disciplines is a good thing, says Cosman, who is co-chair for the International Society for Automation’s ISA99 Industrial Automation and Control Systems Security committee.
It has only been within the past couple of years, Cosman believes, that many in the industrial cyber-security community have truly begun to recognize the link between cyber security and plant floor safety. “One of the things we have struggled with for the last several years is explaining to people why we are so serious about security in control systems,” he observes. “It’s almost like, in the case of control systems, somebody had to come up with a primary imperative—the compelling reason for cyber security. And while safety may not be the only compelling reason, it’s certainly a major compelling reason.”
Many industrial companies today have ingrained safety cultures. “We have gotten to the point where everybody ‘gets it’ at some level. We wear hard hats. We wear steel-toed shoes. We know about protective personal equipment,” says Hegrat. But typically, a corresponding “cyber-security culture” has not yet developed. People still bring in Universal Serial Bus (USB) sticks and plug them into plant floor devices, despite the fact that this could infect control system networks with harmful viruses or cyber worms. And they still write their passwords on sticky notes attached to their terminals, despite being told repeatedly not to do so.
Can vs. should
That’s why the big winners in the trend toward safety and security convergence are likely to be asset owners, says Hegrat. “That’s really where the biggest benefits are going to happen because people will start to realize that just because they can do something doesn’t mean they should,” he asserts. “It’s technically feasible to surf the Web from an HMI (human-machine interface),” Hegrat observes. “But I don’t recommend it; just because you can, it doesn’t mean you should.”
Related Feature - Security and Safety Follow Parallel Paths
To read the feature article relating to this story, go to www.automationworld.com/feature-5822.