ISA Automation Week Day One Wrap Up: Building an ROI for Industrial Cyber Security

Building an ROI for Industrial Cyber Security? Start by Measuring the Business Performance of Real-Time Systems.

Today marked the first full day of ISA Automation Week 2013.  While attendance seemed low, no doubt due to the overlap with the fall ICS-JWG conference, the energy was high and the sessions have been spot on.

Dr. Peter Martin of Invensys delivered an important message about performance measurement in today’s ISA Automation Week Keynote: Production is one of, if not the highest contributors to a company’s bottom line.  However, in current corporate reporting practices, the impact of real-time production can be invisible to the executive layer.  A CFO may report on the financial impact of monthly operations, but real-time metrics (or even hourly or daily) simply aren’t produced in manner digestible to corporate officers and bean counters.  This is a real concern that I’ve observed first-hand: often the important minutia is overlooked, making process improvements—from safety, to production, to security—seem like a corporate burden rather than a benefit. 

Although Dr. Martin didn’t speak to cyber security requirements per se, cyber security is definitely a production improvement that can easily be mistaken for a corporate burden.  The keynote reminded me of conversations with Smart Grid Security’s Andy Bochman, who is a vocal advocate of top-down cyber security.  Simply put, unless cyber security becomes a boardroom requirement, it can never be fully and effectively implemented.  Unless cyber security can be measured in terms of business performance, the boardroom will never fully understand, or care.

To paraphrase Dr. Martin’s words, “anything other than real-time measurement is, by definition, out of control.” Luckily, the same logic used to measure production metrics in real time can be easily adapted to produce business performance metrics in real-time.  These can feed up to daily measurements (via a Historian), and ultimately to monthly measurements, pre-translated for the CFO.  

This is an important but often overlooked consideration, and to many it represents an entirely new perspective on industrial automation requirements.  It’s especially important because—as subsequent sessions made clear—the current state of industry cyber security is leaving systems highly vulnerable.  Dropping a firewall in place at the IT/OT perimeter isn’t good enough anymore.  Michael Firstenberg of Waterfall Security presented not one but thirteen ways to bypass a firewall.  Later, Eric Byres of Tofino discussed the inadequacy of perimeter security, leading an active discussion on how to implement the ISA-99 (now IEC 62443) zone and conduit model, using tiered segmentation as well as defense-in-depth. 

Implementing a more mature cyber security profile within automation means an investment in both time and resources.  Being able to measure business performance in real-time is the first step in justifying the ROI of this much-needed increase in cyber security controls.