Critical Infrastructure Threats: Cybersecurity is a safety issue

If your safety systems were compromised, would you know? Worse, what if your safety systems and HMIs were both compromised? Could you tell?

While industrial control systems (ICS)/operational technology (OT) cybersecurity is a relatively new discipline, its core mission is the same as any other tenet within critical infrastructure and process industries — ensuring the safety and reliability of key operations. This is captured poignantly in the recent Wall Street Journal article on the Oldsmar water treatment facility hack:

“Changes at the facility over the years had made him uneasy. Analog machinery had given way to digital systems, and critical water-treatment processes were now automated. The plant required little human intervention in day-to-day operations. Thanks to remote-access technologies, more maintenance and monitoring activities were being performed off-site by a third party. All this was great for efficiency, especially for his resource-limited operation, but what about the risk? Optimizing for cost and speed meant connecting more digital and networked technologies to his plant floor. Security was no longer simply a matter of gates, guards and guns. It had become a matter of bits and bytes.

The novelty of OT cybersecurity is it focuses on the digital parameters of critical operations where traditional disciplines (e.g., EHSQ, operational risk management, etc.) primarily focused on the physical aspects.

And the fact is that today’s critical infrastructure and industrial operations — on which society relies — are extraordinarily vulnerable. First, these operations typically leverage control systems with 20 year-plus lifecycles; that is, the majority were designed and manufactured before systems were so digitally connected. Second, in cases where cybersecurity was addressed, organizations relied on security measures that have since become obsolete or ineffective, such as obscurity and air-gapping. Third, with a freer flow of information and cheaper access to technology, cyber (Read more...)

*** This is a Security Bloggers Network syndicated blog from The Mission Secure Blog authored by Rick Tiene. Read the original post at: