Enabling business through safety, security

With enough knowledge of a facility such as an oil platform, refinery, or pipeline network, a cyber attack that used distributed malware could lead to physical damage and serious losses of revenue.

By Gregory Hale, ISSSource March 28, 2016

An oil platform stood in the Gulf of Mexico waves a short time ago and unbeknownst to workers on the rig and those offshore, malware was on board turning that facility into a potential floating time bomb.

Malware, downloaded via satellite and through USB drives, had incapacitated computer networks and left the rig lifeless and unable to perform any duties for a period of time.

While the rig eventually came back on stream after workers fixed the locked up system, it turned out a worm was flooding their network. Had this incident been a targeted attack, the rig could have sustained major problems.

With enough knowledge of a facility like an oil platform, refinery, or pipeline network, a cyber attack that used distributed malware could lead to physical damage and serious losses of revenue.

There is no explaining how many millions of dollars that unplanned downtime cost the oil company. In today’s tight economy, companies, big or small, cannot afford to lose that kind of money to any kind of safety or security incident. 

Uptime remains critical

The cost of unplanned downtime is just one case to show management there is a solid business proposition behind employing solid safety and security programs. The idea pushing forth in the industry today is safety and security are not just insurance policies to protect against an incident or bad guys, but rather a business enabler that keeps the network and system up and running, productive and profitable.

"The insurance justification doesn’t always work," said Farshad Hendi, industrial automation safety industry manager at Schneider Electric. "People will say I worked at this plant for the past 15 years and we have never had an incident. It is true you didn’t have an incident in 15 years, but that does not mean you will not have an incident tomorrow. Uptime and operational stability is something that resonates with people very quickly. If your plant is down for one week you can quickly determine the cost and you can quickly determine how much investment I need to put in and how much gain I will get."

Indeed, when talking about safety or security users need to consider metrics such as improving the efficiency of operations, reduction in time to detect incidents and return on prevention.

But "Wait a minute," a senior manager could say, "we have never been hit before, so why should I pay for something that doesn’t generate revenue?" The simple answer is, safety and security can pay off big dividends.

"It is an interesting conversation to have," said Joshua Carlson, industrial automation manager for cyber security in North America at Schneider Electric. "The challenge is getting users to understand we are not just looking at the risk model and figuring out the probability. With cyber security, it is not a matter of if, but a matter of when. The challenge becomes at some point when are you going to have an incident and how much is it going to cost you?"

Mature vs. dynamic

Safety has evolved over the years to where manufacturers think safety first. But security is an entirely different beast. With its constantly changing dynamic force, it isn’t about hardening a system to keep bad guys out any more, it is now about being situationally aware—understanding what is happening within a system at any given time. And if the senior manager thinks attacks aren’t happening, think again.

Just look at the numbers in Fiscal Year (FY) 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received and responded to 245 incidents reported by asset owners and industry partners. The energy sector led all others again in 2014 with the most reported incidents at 79 or 32%, followed by critical manufacturing at 65 or 27%. Of all the incidents reported to ICS-CERT, 55% involved advanced persistent threats (APT) or sophisticated attackers.

While the numbers reported to ICS-CERT may seem low, in reality, the vast majority of companies don’t report incidents, but instead, keep news of the attacks to themselves.

When it comes to safety, the numbers in dollars and cents can numb the mind, because in the U.S. major industrial incidents cost an average of $80 million each, according to a report from the Center for Chemical Process Safety (CCPS).

Focus results in savings down the line

To combat that, if a company is truly smart about safety and focuses on what they have to do, remains vigilant and is a top-tier organization, they could realize a five percent gain in productivity, according to CCPS statistics. In addition, a company employing a solid safety program could see a three percent reduction in production costs, five percent reduction in maintenance costs, 20% reduction in insurance and a one percent reduction in capital budget.

In the security realm, costs continue to rise with the average consolidated cost of a data breach is $3.8 million up from $3.5 million the previous year, which is a 23% increase in the total cost of a data breach since 2013, according to a Ponemon Institute study of 350 companies spanning 11 countries. 

In addition, malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify, the report said.

On top of that, in a separate study the Ponemon Institute found the average annual cost of cybercrime per large U.S. company at $15.4 million, an increase of 19% from $12.7 million a year ago. It also represents an 82% jump from Ponemon’s first study six years ago.

Ensuring you know

"What that really goes back to is to look over the course of the past 10 years and the variety of attacks that have happened in different industries like the Shamoon attacks in the Middle East (Saudi Aramco, RasGas and SAFCO suffered an attack wiping out over 35,000 hard drives on the business enterprise) and the water and waste water attacks in Illinois down to oil and gas refineries in the south," Carlson said.

"What happens is a lot of organizations say cyber security is very expensive. But what they fail to realize is someone breaks into an organization and turns a switch which turns the pump on and off until the pump dies and now all of a sudden you can’t process products and you could be causing environmental issues, you could be causing health issues with people around the area because of the equipment," Carlson said.

"Now you are shutting down to replace that hardware. What does that cost you? If I would have known I had an unauthorized person accessing the system well in advance of when the pump failed, and all I had to do is invest this small amount of money and a small amount of time, I could then have prevented this from happening. The same thing is true with safety. It has been happening with safety for 30 plus years—and that is where the similarities come in—how do we know when the pressure is too great, how do we know when the temperature is too high or too low, how do we know when the vibration is too high or too low? We have these mechanisms in place to tell us what is the current situation and if it gets too far out of spec, this is the reaction, this is what I can do from a safety perspective and that prevents explosions, prevents people from getting hurt, prevents the environment from being contaminated and ultimately is an enabler for the business and continues to allow you to do your business longer and more securely than if you had nothing in place."

And safety goes through the same type of discussion.

"Safety is more than just compliance, it is a way of providing some return to the business," said Steve Elliott, industrial automation senior director offer marketing at Schneider Electric. "It is about uptime, continuity, operational time, and it is still that threat, so it is more than compliance, it is also more than an insurance premium, how can we use it as a means of revenue of generation?"

Effective tools

Just how do you prove a positive, profitable return for safety and security?

"We now consider security as part of the operational lifecycle especially when we are talking about critical infrastructure," said Jay Abdallah, industrial automation EMEA cyber security manager at Schneider Electric. "We are seeing things such as performance monitoring capabilities to proactively see when a company would experience an outage based upon the available statistics." From a safety perspective, looking at condition monitoring and management of safety functions in the field can help.

"I have developed a little return on investment (ROI) calculator that has a questionnaire and we ask the user some basic questions about metrics," said Sven Grone, industrial automation TMC business development at Schneider Electric. "We ask with your process and practices how long would it take to do a certain project. We then we show them with the solution, we can do it in .01 times X. We do that in a series of activities associated with the management of functional safety. In the end we crunch some numbers and say if your plant has a revenue stream of $5 million a day and it costs you $150 and hour for an engineer and this system is $200,000 to put in, we can show you a return on investment in three months. The user can then take that tool that has their own metrics and show it to management to justify the cost."

Whether it is a ROI calculator or a ouija board, users can look at the technology all they want, but they also need to look at factors associated with the risk of a cyber security incident. The impact of a cyber security incident could have a significant negative perception on the organization, impact the reputation, and potentially cause a financial impact to the company or facility. Just ask Target, Home Depot, or Sony about that. Or even the victims of "Night Dragon" where over a two-year period attackers snuck into oil companies’ systems and stole information including financial documents related to oil and gas field exploration and bid negotiations, in addition to operational details on oil and gas field production supervisory control and data acquisition (SCADA) systems. How much was that worth?

If the company or facility appears to be a risk for a loss of financial information, the environment, or safety, the company or facility could take a financial hit from fines or penalties or lawsuits.

Threat levels and costs

Whether it is a major cyber attack or a safety incident or a malware downloaded onto an oil rig in the Gulf, there is a business justification to show by having the right safety and security program in place it will enable the business to run more efficiently and productively.

"The threat level is changing and with every shut down it is costing more money," said Nasir Mundh, industrial automation global director of modernization at Schneider Electric. "Because the plants are getting more complex and the processes are getting more complex, where at one point people were getting one or two products out of their feedstocks now they are getting multiple derivatives out their feedstocks."

With the increase in complexity, stakes are becoming higher for every single day of a shut down. Every hour of shutdown is becoming more costly.

"The investment users put into making their systems secure or making them safer is very little compared to any shutdown they may have, which may not end up in a catastrophe, but would still be a financial loss," Mundh said. "By putting in these safeguards if you can prevent one shutdown, that is a tremendous saving."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineeringcvavra@cfemedia.com.

ONLINE extra

See additional stories from ISSSource about cyber security below.

Original content can be found at www.isssource.com.