That’s the good news, says Brian Singer, chair of the Instrumentation, Systems and Automation Society’s ISA-SP99 committee, which is developing standards for electronically secure manufacturing. The bad news, on the other hand, is that many top managers still aren’t buying into the idea.
“A lot of people know that they need to take action, and many times, they know what actions they need to take to eliminate a lot of the [cyber security] risks that they have. But because they can’t measure the benefits, they can’t convince management to make the investment,” Singer told an audience at the recent WBF North American Conference, in Atlanta.
But as more companies gain experience with early cyber security initiatives, that picture is beginning to change, said Singer, who is a senior business consultant, Network Security Services, for Milwaukee-based Rockwell Automation Inc. (www.rockwellautoma tion.com) “When we’re going out and doing these projects now, we’re spending a lot of time talking about return on security investment, so that people understand that there are benefits that you can expect to earn,” said Singer. “It’s a difficult measurement, but the benefits are there.”
During his WBF presentation and in a subsequent interview with Automation World, Singer described some of the measurable benefits that are beginning to show up when companies do make cyber security investments. For one thing, an investment in a better network security architecture can give manufacturers the confidence to make broader use of remote support services, which can lead to bottom-line savings, Singer said. Other savings can come when security policy procedures are put in place that require specific steps to be followed before shop floor personnel or outside vendors can make changes to equipment, for example. “When you force them to make change logs and go through levels of approval, there are better checks and balances on the whole system,” Singer explained. This can lead to a reduction in errors and operational problems. A third area where cyber security savings can be often be measured is in the application of better design practices involving control data and business data traffic on Ethernet networks.When security dictates that factory networks be segmented, or that certain process lines be isolated, one from another, for example, the result can be a reduction in network-clogging business traffic on control local area networks. This can produce measurable improvements in overall network uptime, availability and performance, Singer noted.
Hard Dollar Savings
In a few early projects, some manufacturers have been able to measure a return on security investment in the range of 18 percent to 22 percent, just on these kinds of hard dollar benefits, said Singer. But for most companies, that is typically not enough to justify a cyber security project, he conceded. “Most people need between 30 percent and 40 percent to justify expenditures, or less than a three-year payback.” As a result, the return on security investment calculation must also typically include some measure of risk mitigation. And Singer noted that this can still be a very tough sell. “If you go to the vice president of operations and say you’ve got a security project that costs $200,000 and it will get rid of $400,000 in risk, he’ll say, ‘What do you mean, risk? I don’t understand.’ ”Even when plant personnel can agree on a number for the annual cost of actual control security incidents suffered by a plant, management typically wants proof of those costs, Singer observed. “And most of the time, that proof doesn’t exist.” The fact that most companies today don’t track control security incidents remains a major impediment to more aggressive industrial cyber security initiatives, Singer said. “We need better tracking and more open sharing of information.” But even that is beginning to change. According to Singer, a number of large manufacturing customers are now launching cyber security organizational measures that will enable better incident tracking. “They’re putting response teams in place, and they’re writing new policy documents for the shop floor. These are pretty low-cost items, but at least they’ll have people tracking when they’ve had an attack or when they’ve had a virus,” said Singer. “So by next year, they’re going to have some proof to back up where these risk numbers are coming from.”