The great Chinese military strategist Sun Tzu in his book the “Art of War” stated that (to paraphrase) “if you know yourself and the enemy, you will prevail in every battle”. This saying is applicable to the protection of industrial control systems that comprise the technical foundation for today’s critical infrastructure. One of the long-term trends has been the convergence of Information Technology (IT) with Operation Technology (OT). IT has come to the OT world in a big way especially with the advent of the Industrial Internet of Things (IIoT). The latter refer to smaller devices that act as sensors that collect and relay data for later analysis. The usefulness of this collected and evaluated information provides some convincing arguments for the take-up of this new technology. It is supported by both industry and policy makers as a great way to “improve efficiency, reduce downtime and save money”. However, amidst all the great selling points, the new vulnerabilities and IT security concerns introduced from the increased connectivity of these devices (from the plant floor to the office) are not recognized. Too often, the engineering/OT mindset dominates leaving the threats emanating from cyberspace well known by IT security practitioners out of the calculations. Missing is a way to introduce IT security concerns and balance them with the safety, availability, and integrity interests of the OT engineer and cost saving interests of management.
This is why I think the new ISA/IEC 62443 based cybersecurity training in industrial cybersecurity offered by ISA is a significant step in the right direction for improving protection of critical infrastructure. So often, at conferences that discuss IT and industrial control system I hear about the need to follow ISO 27000 standard. An IT security standard is not enough to address the security issues raised by control systems. Nor is it enough in an industry brochure to emphasize the box containing the device is fully compliant with a standard for a box (2) . Don’t wish to advertise or be a cheerleader but ISA should be congratulated for this initiative on ISA/IEC 62443. It should address a serious awareness issue. Have been making a point in my presentations on making use of standards and guides that specifically address critical infrastructure protection. Usually I find the audience is hearing about ISA 99 / 62443 or NIST 800-82 rev. 2 for the first time.
However, some precautionary questions remain regarding the potential benefits to the security of our critical infrastructures from this new training. Is the material covered and information provided a good match for the challenges faced by practitioners in the control system world? Is the coverage mostly theoretical or is there significant input from the engineers working in the field who have special knowledge (can share some practical lessons-learned) of the problems encountered and on already developed (but not shared) solutions? Are appropriate updates to the course content made when the security environment changes? Do constructive criticisms and suggestions from field practitioners for improvements in the covered material get a fair hearing?
One important point to consider is the level of support from management for taking this course. Does staff get their support for attending this training? The basis for this support is an appreciation for the differences between IT and OT approaches to security and the need to build a bridge between them. If a manager with OT “blinders on” says to his interested employee, “you don’t need this”, little good will come from this initiative. On the other hand, some awareness of the IT vs OT security issues will do much to address the long-term problem of cross training IT and OT practitioners. An issued that will require more attention as IT and OT convergence continues. To paraphrase the ancient Chinese military strategist Sun Tzu, “If you know IT and Control Systems, you will always protect your critical infrastructure”.
2. ANSI/IEC 60529-2004 Degrees of Protection Provided by Enclosures (IP Code) http://www.nema.org/Products/Pages/Enclosures.aspx