I really wish things were as simple as Dale Peterson makes them out to be. I’m not an apologist for the security situation among industrial control systems. But if all we had to do is lift a pen and sign off a few dozen checks, the security issue would have been done and gone already.
First, allow me to remind everyone that the money spent on control systems is done so because it is less expensive than employing lots of people to do the drudgery that automation does. If security increases the staffing costs beyond a certain point however, the return on the investment in all that automation may not be there. The next automation upgrade may not happen and instead, more primitive controls may get installed. Don’t dismiss this notion casually; there are people in executive positions making this calculation right now.
Second, the people on the plant need to learn this stuff. This is an issue of recruitment, training, and retention for ALL staff working on a secure industrial control system. Staffing for something like this is not trivial. You don’t just grab an IT employee, give them a couple week’s training, hand them a hard hat and tell them to get busy. There are safety training, process training, cross training with instrumentation technicians, and just plain orientation, and introductions to the various people on the plant. This can take at least a year before one can safely allow someone to work independently on a decent sized plant. And then look at the turnover rate of OT employees. Now think about what a sustainable staffing solution would cost and you start to see some of this problem. It is NOT cheap.
Third, a lot of the grief caused by sharing industrial control system data goes back to a bunch of ill conceived demands by overly empowered people asking for information that they do not understand. In other words, reporting infrastructure has existed within industrial control systems since my career took off over 30 years ago. Someone needs to review what these demands on information are and whether they’re really necessary or whether they need to be handled the way they are. This is not trivial work.
In fact, it is a major rethinking of how the information flows from the industrial side of the control system to the rest of the company. It is both technical and political and it needs to happen from within the organization. Most consulting firms can’t spend enough time to figure this stuff out, and then sell it politically and technically to the company. It has to come from within.
Fourth, it is hard to justify this expenditure based upon how the Risk Management Frameworks look. The actual published events are comparatively scarce. Someone is just as likely to pick at a few numbers they don’t fully understand and come up with the wrong conclusion that this is a lot of expenditure for nothing. This is because people do not understand how badly they may be exposed. Of course, the won’t understand this until they deal with my Third point.
I’m not justifying the situation. What I have to say to Dale Peterson and others is that this problem is a much tougher nut to crack than it first appears to be. If it were as simple as he portrays this solution to be, we wouldn’t be discussing this.