In reflecting on experiences at the recent Smart Grid Road Show, it seems to me that in at least the power industry, there is still no widespread understanding of cyber-security as a program, the way people understand safety programs. For example – you walk up to a smart grid component vendor and ask “Is it secure?” and you’ll get an answer describing the encryption schemes the component uses, as if encryption was security. Contrast that with the answer you get from control system vendors when you ask them about safety. Ask a flow meter vendor, or a valve vendor “Is your product safe?” Your answer will be something like “Yes of course it’s safe! … ummm … What do you mean by that?”
People generally understand that safety is not a binary “yes” or “no” value. You can always be more safe, or less safe. Also, people generally understand that safety has context – the answer to “Is this product safe?” depends on the characteristics of the product yes, but depends just as much on what you’re using the product for, on how the product is installed and serviced, and on how the product is monitored and inspected. People don’t seem to understand this about security. Encryption is a technology used routinely in parts of a security program, but security is more than encryption.
Take, for example, a fire safety program. Everyone is familiar with basic fire safety. Everyone knows that fire safety is more than just “is this particular component fire resistant?” Nobody is surprised to learn that a fire safety program involves building codes and inspections, fire prevention equipment and fire suppression equipment, training and awareness programs, fire drills and more. Everyone knows that not everyone needs to be a fire safety guru – but everyone expects to know what rules they have to follow, and what to do in an emergency.
People expect that there are rules for fire safety. How often is this true for security?
A fleshed-out security program has most of the features of a fire-safety, or process-safety program. People need to start to understand that there is a security program, that there are rules everyone has to follow, and that there are things to do in an emergency. All of us involved in developing security programs need to work hard to move people toward understanding security the way we all understand safety.
There is more in this theme, if you are interested, in the recording of the “Taking your Security Program to the Next Level” webinar at the main Industrial Defender website.