01 April 2004

Who's the enemy? Don't look at IT

By Eric J. Byres and Jim Bauhs

The IT community is a huge resource with knowledge on what works and doesn't work when it comes to security. We need to harness that knowledge and technology.

Not too long ago Eric Byres cowrote a column with Dr. Dan Hoffman of the University of Victoria entitled "IT security and the plant floor" (InTech, December 2002). We outlined the reasons why information technology (IT) security technologies don't work well in the industrial setting. Little did we know what a storm of controversy we would create and how people would misunderstand our column.

Almost immediately a deluge of e-mails came from control engineers complaining about the mean and nasty IT department that got in the way of efficient production. For some reason they thought the column justified an attitude of mistrust between the plant floor and IT staff. The technologies may need adjustment, but the IT security department is our ally, not our enemy.

Unfortunately the attitude of blame rather than cooperation is all too common. For example, a few months after the column appeared, the Slammer worm penetrated the Davis-Besse nuclear power plant, resulting in the following newsgroup postings:

  • "A MIS department (I believe that stands for misinformation services) has no business touching a system that they don't know about. These are not just simple computer networks; not only do they control revenue, but they also control safety (equipment and personnel)."
  • "If Homer Simpson does work at that plant, I'd say that he is the system administrator. Leaving servers unpatched like that is pretty sad, especially in a critical place like this."

While these comments were not directly from the staff of the facility involved, they were from contributors who claimed to have extensive power industry experience. We believe they are indicative of attitudes prevalent on the plant floor.

The real enemy

Blaming each other for security issues misses the point-the enemy is not the other department, but the hacker or virus attempting to infiltrate the company systems. Pointing the finger at the other business unit for security issues is certainly not helpful in reducing the risk. The existence of numerous common technologies means the enemy is not unique to either the control or IT environments; it is a common and shared adversary.

The outcome of security incidents is potential loss to the company that can affect everyone. The IT community is a huge resource with knowledge of what works and doesn't work when it comes to security. We need to harness that knowledge and technology. After all, the controls industry has done a great job of modifying the underlying communications technologies to meet industrial requirements. Now we need to do the same to password policies, firewalls, virtual private networks, and the like.

Before this can happen we need to do two things. First, as control engineers, we need to really understand how the plant environment differs from the average IT environment.

Getting this information isn't always easy to do, but you can often dig it up from control specifications and safety requirements that already exist in most plants. If we give the IT department the cold, hard facts about what a control system is and what it needs to operate well, then everyone is more than willing to help.

Second, and most important of all, we need to work closely with the IT department and make it our friend, rather than an enemy. After all, you and IT have the same ultimate goals of protecting the company.

There are a number of excellent techniques that can move a collaborative relationship forward, including multiparty goal setting and self-assessment. One of the quickest ways is the formation of a cross-functional team with members from the control and IT constituencies. Each environment has strengths and weaknesses and can learn from the other to improve in a number of job functions in addition to security.

Ideally, any cross-functional team should be empowered to identify, prioritize, recommend, and execute a joint security program. The potential of a group like this to build off of each other and bring different perspectives forward will greatly enhance the organization that makes this investment.

The security threats we face today are only growing stronger and more numerous. Security in the industrial plant needs to be collaborative rather than each department being out for itself. Only by working together can we reliably secure our control systems against tomorrow's cyberattacks.

Behind the byline

Eric J. Byres, P.E., is a faculty member and research manager of the Internet Engineering Lab at the British Columbia Institute of Technology. His e-mail is ebyres@bcit.ca. Jim Bauhs is global plant operations - information protection manager at Cargill Inc. His e-mail is Jim_Bauhs@cargill.com.