Preventing a Cyber Pearl Harbor

Nov. 6, 2013
End users, industry suppliers and government experts discuss public/private partnership to address industrial control system cybersecurity at ISA Automation Week event.

Here’s how to get everyone’s attention at a cybersecurity discussion: Say that some people think a cyber Pearl Harbor has already occurred, but that you think the real cyber Pearl Harbor is still to come because the cybersecurity breaches that have occurred to date have not involved the loss of life and impacted the economy as much as a full-on cyber Pearl Harbor will.

That’s how retired USAF Brigadier General Rudolf Peksens kicked off the first cybersecurity panel discussion at the 2013 ISA Automation Week. He then went on to say that if you are involved in automation, you are already involved in cyber conflict. “The bits and bytes in our systems have been weaponized,” he said, “and your systems are being penetrated at will.”

As someone responsible for automation use and application, if those two observations don't get your attention, I’m not sure what will.

The purpose of the panel discussion Peksens chaired at the event focused on how the government and private industry have been working and continue to work together to address critical infrastructure cybersecurity issues. If you're thinking you’re probably not a part of the country’s critical infrastructure, think again. Here’s the official list: chemical manufacturers, commercial facilities, communications, critical manufacturing, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors/materials/waste, transportation systems, and water/wastewater systems. Chances are, if you’re reading this, you are in or closely connected to one of these identified sectors.

Other members of the panel included: Samara Moore, director of Cybersecurity Critical Infrastructure Protection in the White House National Security Council staff; Eric Cosman, operations IT consulting engineer at Dow Chemical; Lee Lane, business director at Rockwell Automation; and retired USAF Lt. General Bob Elder. Elder was on the panel due to his position as research professor at George Mason University conducting research in the areas of integrated command and control, operational resiliency in degraded environments, strategic deterrence, and the use of modeling to support national security decision-making. Peksens, who led the panel, now works at iiGrowth helping companies adapt to cyber challenges. He previously worked in the defense industry for 15 years where he was most recently the director of strategic pursuits in the Raytheon Company's Network Centric Systems.

Less than a year following the release of the Obama Administration’s executive order 13636 to improve critical infrastructure cybersecurity and Presidential Policy Directive 21 aimed at critical infrastructure security and resilience, a great deal of groundwork in getting government and private industry to collaborate around cybersecurity has been laid. Much of that groundwork, according to Moore, has been focused on improving “the timeliness and quality of the information we share internally with other government agencies and with industry.”

This focus on information sharing is aimed at helping all players understand where security gaps exist and how to address them, Moore says. It is also aimed at sharing tips on how to best monitor for unexpected activities and have a plan in place for what to do when/if something occurs.

Eric Cosman of Dow Chemical explained that, through his work as vice president of standards and practices at ISA, he is an advocate for “the needs and constraints of industrial automation” and is focused on providing practical direction for industrial control system security to foster a collaborative response to create a comprehensive approach to industrial cybersecurity.

“The need for IT (information technology) and OT (operations technology) cooperation is most evident around cybersecurity,” Cosman said. By focusing on this interaction of groups, Cosman said he hopes to draw attention to the fact that human behavior is as critical to effective cybersecurity as systems are. “Cybersecurity is not all about technology,” he added.

Elder added to Cosman’s human factor comments in his discussion of a cyber ecosystem, which involves developing a “dynamic defense process that detects behaviors and indicates problems. Situational awareness for operators is critical to the success of the cyber ecosystem.”

As an example of the need for greater situational awareness, Elder cited the mass damage done as result of Hurricane Katrina in 2005. It wasn’t the hurricane that caused all the damage, he said, it was that some floodgates weren’t operating properly and key people weren’t aware of it. As a result, the floodwaters overcame the levies and submerged low-lying areas of New Orleans.

To help address end user knowledge gaps around industrial cybersecurity issues, Cosman noted that ISA has several efforts underway in addition to ISA 99 to certify cybersecurity capabilities of staff. He added that the Automation Federation also has a Security Compliance Institute that is “developing materials to assess compliance of technologies and, ultimately, systems and programs along the lines of IEC 62443 series.

There is also a good deal of private company cybersecurity certification in process,” Cosman says. As a result of the numerous ongoing efforts, he expects there will be some shakeout in widely accepted certifications as they develop.

In the near term, Moore added that input is still being sought from industry for NIST’s Cybersecurity Framework, developed to support the Administration’s executive order 13636. View information about the latest version of the draft and comment on it via [email protected].

About the Author

David Greenfield, editor in chief | Editor in Chief

David Greenfield joined Automation World in June 2011. Bringing a wealth of industry knowledge and media experience to his position, David’s contributions can be found in AW’s print and online editions and custom projects. Earlier in his career, David was Editorial Director of Design News at UBM Electronics, and prior to joining UBM, he was Editorial Director of Control Engineering at Reed Business Information, where he also worked on Manufacturing Business Technology as Publisher. 

Sponsored Recommendations

Why Go Beyond Traditional HMI/SCADA

Traditional HMI/SCADAs are being reinvented with today's growing dependence on mobile technology. Discover how AVEVA is implementing this software into your everyday devices to...

4 Reasons to move to a subscription model for your HMI/SCADA

Software-as-a-service (SaaS) gives you the technical and financial ability to respond to the changing market and provides efficient control across your entire enterprise—not just...

Is your HMI stuck in the stone age?

What happens when you adopt modern HMI solutions? Learn more about the future of operations control with these six modern HMI must-haves to help you turbocharge operator efficiency...