Beware of the hype
By Dean Ford, CAP
Do you have a plan to combat the fear mongers and the shiny-new-thing pushers? I grew up in the plant floor automation business. I have seen a lot of change in technology, and I have seen a lot of resources wasted on things that really had no business case. Recently, this waste seems to be focused on cybersecurity and other shiny new things. In an age where the pace of technological advancement is higher than ever, our profession is being bombarded daily with the next great thing. Managers get calls from highly effective sales people and do Internet searches that teach them of all the threats they must protect against and all the opportunities they are missing because they do not have X, Y, or Z. This pressures automation professionals to also focus on cybersecurity and new technologies and usually forces them to bypass some critical decision steps.
Automation professionals are on the front lines of risk management and mitigation. The cyberthreat is merely one of many threat factors to overall risk management, and it gets far too much attention. Our profession is getting a lot of pressure to spend money on this. "Your peers are doing it, why aren't you?"
If you have heard me speak at various conferences, you have likely heard some shocking words. Cybersecurity is not the threat that it purports to be. In one session recently, I was challenged. A prominent manager at a utility had done a lot of surveys with conclusive results. Cybersecurity was in the top five biggest perceived threats to operations. I agree it is a threat, but I challenge the notion that it is our greatest threat from two sides. First, if it was truly that large of a threat, every utility would be budgeting lots of money to address it. That is not happening, and the more advanced utilities and companies are not wasting resources on it for very good reasons. Second, there are far greater threats that should be dealt with first. Planning is the key to relieving the pressures.
The cyberthreat is merely one of many, many risks that must be addressed in our operations. If your organization is currently involved in any sort of cyber-assessment or mitigation project, and you have not first assessed your risk profile, then you have missed a critical step. Ask to see the data that shows this is your number one threat to operations. I have found that in 100 percent of cases, threats exist with a far greater impact to operations than a cybersecurity incident. Bad business decisions are made in the name of cybersecurity, like removing remote access from maintenance personnel, which significantly increases costs and response time for troubleshooting. What are we really trying to protect against?
I propose a different path. An overwhelming majority of cyberrisk can be eliminated through simple procedural and policy changes that cost no money. Instead of spending money to prevent a cybersecurity issue, first go through the exercise of assuming you will be hacked. How will you and the organization respond? What key decision-making process do you need in place? What is the hierarchy? Who is authorized to call something a disaster? Is your disaster recovery plan in place and has it addressed things like building a new automation platform from bare metal? Have you tested it? Are your backups working? The list goes on. The key point here is that if someone wants in, he or she is going to get in, and it will be through normal channels. All of the money spent to prevent a hack will be useless.
With a sound risk management and disaster recovery plan, you not only address cybersecurity incidents, but you also mitigate fires, theft, weather events, rogue employees, etc. And perhaps, during the risk mitigation planning, cybersecurity jumps out as a critical need, and you have to develop some projects for network segregation. At least then you will know that the capital is being deployed in the best way and for the correct priorities. I suspect you will find that you should be fixing the power failure scenario that causes hours of down time, or moving the server out of the control room, or simply upgrading the automation platform to current hardware with parts that you can buy from a more reputable place than eBay.