Cyber Security = Safety. Get It?

There is a growing realization that cyber security—once considered primarily an information technology (IT) problem—has different ramifications on the plant floor than it does in the office.

Safety is a major compelling reason for control-systems cyber security, says Dow Chemical's Eric Cosman, who is ISA99 co-chair.
Safety is a major compelling reason for control-systems cyber security, says Dow Chemical's Eric Cosman, who is ISA99 co-chair.

“If you look at cyber security from the enterprise perspective, there is no safety element. If, say, a Web server or a SQL server get compromised, you might lose data or you might have a financial loss, but nothing blows up, nobody dies and nobody gets hurt,” points out Bradford Hegrat, lead security consultant for Network and Security Services, at vendor Rockwell Automation Inc., in Mayfield Heights, Ohio. But that’s not necessarily the case on the plant floor.

“The reason we do cyber security is to have safe systems. Safety could be compromised by cyber-security vulnerabilities,” says Eric Cosman, an engineering solutions IT consultant at The Dow Chemical Co., Midland, Mich. That’s why the trend toward a closer alignment between safety and security disciplines is a good thing, says Cosman, who is co-chair for the International Society for Automation’s ISA99 Industrial Automation and Control Systems Security committee.

Primary imperative

It has only been within the past couple of years, Cosman believes, that many in the industrial cyber-security community have truly begun to recognize the link between cyber security and plant floor safety. “One of the things we have struggled with for the last several years is explaining to people why we are so serious about security in control systems,” he observes. “It’s almost like, in the case of control systems, somebody had to come up with a primary imperative—the compelling reason for cyber security. And while safety may not be the only compelling reason, it’s certainly a major compelling reason.”

Many industrial companies today have ingrained safety cultures. “We have gotten to the point where everybody ‘gets it’ at some level. We wear hard hats. We wear steel-toed shoes. We know about protective personal equipment,” says Hegrat. But typically, a corresponding “cyber-security culture” has not yet developed. People still bring in Universal Serial Bus (USB) sticks and plug them into plant floor devices, despite the fact that this could infect control system networks with harmful viruses or cyber worms. And they still write their passwords on sticky notes attached to their terminals, despite being told repeatedly not to do so.

Can vs. should

That’s why the big winners in the trend toward safety and security convergence are likely to be asset owners, says Hegrat. “That’s really where the biggest benefits are going to happen because people will start to realize that just because they can do something doesn’t mean they should,” he asserts. “It’s technically feasible to surf the Web from an HMI (human-machine interface),” Hegrat observes. “But I don’t recommend it; just because you can, it doesn’t mean you should.”

Related Feature - Security and Safety Follow Parallel Paths
To read the feature article relating to this story, go to www.automationworld.com/feature-5822.

Subscribe to Automation World's RSS Feeds for Feature Articles

More in Control