Two of the hottest topics currently in the industrial world are security and compliance. The controversy surrounding these topics, centers on the interpretation of how they should be addressed in the current environment. Although regulatory bodies, industry trade groups and industry participants are working diligently to provide clear and concise guidance to industry participants, no prescriptive or definitive roadmap exists to achieve full compliance.
As a result, operators are being confronted with an almost overwhelming amount of standards, guidelines, and “best practices” that require interpretation with little guidance. Exacerbating the issue is the fact that operational and security requirements are often confusing and sometimes inconsistent. As examples, security related documents often purport to be the required standard, even when they are not, while security programs are not tailored to meet the needs of specific operations.
Addressing the issues involving these topics requires an understanding of the requirements and the development of an appropriate solution. While a one-size-fits-all solution is not possible, there is a process (hereinafter, the “Holistic” approach) that aggregates the requirements and best practices available to industry, allowing each company to design and implement a solution that makes sense for its organization and facilities.
The Holistic approach provides a roadmap to help achieve compliance, while avoiding the fatal error of looking at security as simply an “add-on” issue to operations. The pitfall with the widely used add-on approach is that these narrowly focused security solutions often temporarily address technical requirements, while failing to consider additional requirements related to compliance with evolving regulations and standards.
SCADA (Supervisory Control and Data Acquisition) systems users have been the most severely impacted by the increase in recent activity. On the security side, SCADA operators are confronted with the lingering “IT vs. SCADA”, or “them vs. us”, issue, along with the cyber security threat debate. One faction swears up and down there is a real and valid cyber threat to critical infrastructure. Another claims there isn’t enough evidence to support such a claim and that the real threat actually lies in other factors such as physical or human risk factors.
We believe that both threats are real and need to be addressed. With compliance activity on the increase, the challenge is for operators to interpret and potentially comply with the myriad of standards, guidelines, and best practices that have been released. Unfortunately, these documents provide very little guidance on exactly which standard or best practice addresses the various threats currently confronting operators.
Even in more regulated industries, such as Electric Utility where definitive regulatory guidance has been established with NERC CIP, the requirements are still so vague and watered down that neither security nor compliance is assured.
All of these issues have the potential to cause serious repercussions to your organization, as an incident or an audit failure could result in significant financial loss. This article addresses these issues, taking the Holistic approach.
Click on the links provided for more information on scada, scada security and risk management.
