Automation Professionals and the Need for Safety and Security

Overview

Those who contribute to the design, implementation and operation of automation strategies have seen their roles changing with the Automation Professionals and the Need for Safety and Security in the face of new and expanded expectations in areas such as process safety and cybersecurity. The lines between traditional roles such as automation engineer, safety engineer, and cybersecurity expert are blurring.

It is unreasonable to expect automation professionals to become experts in designing, operating, and supporting complex IT systems, networks and security management systems. Their time and resources are limited and effort spent learning and applying these skills detracts from that required to develop, apply and maintain control strategies.

When planning the “people” element of cybersecurity response, it’s essential to identify and examine the implications for the required disciplines. ARC Advisory Group conducted a workshop as part of our recent 2016 Industry Forum in Orlando, Florida to examine these implications in the context of use cases and experiences from end users and product and technology providers.

Panelists and attendees identified several specific themes in the course of the workshop. The first of these is the evolving relationship between industrial control systems (ICS) cybersecurity and process safety, which has led to the definition of a coordinated approach to risk management. Configuring and operating safe and secure automation systems also requires strong management of change processes and the identification of relevant metrics and key performance indicators.

Although the intent was to focus this workshop on the people-related aspects of security management, much of the discussion focused on technical topics and techniques. While the technical details must be addressed, it is equally important to consider the impact of this technology and expertise on the roles, responsibilities, and accountability of those who support and operate automation systems.

More research is required to determine how to foster the necessary cooperation between the various disciplines and expertise areas. No single model will apply to all situations, but the use of formal competency models and discipline descriptions is an essential prerequisite.

The Changing Face of Automation and the Automation Professionals

The automation of industrial processes has been a well-established area of expertise for many years. Those who contribute to automation strategy design, implementation, and operation have seen their roles changing in the face of new and expanded expectations in areas such as process safety and cybersecurity. The lines between traditional roles such as automation engineer, safety engineer, and cybersecurity expert are blurring. In many cases, the need for increased productivity precludes having separate experts in each of these areas.

As has been the case with process safety or the transition from proprietary to commercial control systems, the increased need for security has driven automation professionals to acquire familiarity with new subjects, ranging from network design and communications configuration to use of specialized security technologies.

The increased use of commercial-off-the-shelf information technology has also influenced the role of the automation professional. Experience and skill in the use of an increasing array of technologies has become a common expectation of automation engineers and technicians.  ARC expects this trend to continue as automation solutions become more sophisticated and integrated with business processes.

Concurrently, time and resources are limited and any time and effort spent learning and applying these skills depletes the time and resources available to develop and apply control strategies. It is unreasonable to expect automation professionals to become experts in designing, operating, and supporting complex IT systems, networks, and security management systems.

While it is certainly possible for automation professionals to develop the expertise required to address cybersecurity and its implications for industrial automation and safety, this may not be the best approach. As has been the case for process safety and complex multi-variable control, it may be preferable to develop collaborative relationships with those with specialized expertise. There are several possible models for such collaboration and at this time it is unclear that any single model is best for all situations.

Implications for the Automation Professionals

Regardless of the model selected, it is clear that there will be implications for the automation professional.  It’s essential to identify and examine these implications when planning the “people” element of the cybersecurity response.

The specific objective of the workshop ARC held at our recent ARC Industry Forum in Orlando was to examine these implications in the context of use cases and experiences from end users and product and technology providers. The workshop took the form of a panel discussion, with each panelist summarizing their perspective on the topic. This was followed by questions from and discussion with participants. The panel consisted of three representatives from end user companies, one from a services provider, and one from a certification body.

Prior to the Forum, ARC proposed several questions for consideration in the form of an earlier Insight:

• Are the safety and security of industrial processes being addressed using a common or shared risk management methodology? If not, should they?

• Who is ultimately accountable for the performance of automation systems with respect to safety and security?
• Are all of the specific responsibilities associated with meeting these challenges understood and clearly assigned?
• Do automation professionals have the awareness, experience and knowledge necessary to consider the security and safety aspects in automation system design?
• What level of expertise is required in these areas in each individual facility, rather than being centralized or shared across multiple facilities?

• Should users change their current deployments, where cybersecurity and process control have been separate disciplines, and add IT staff to their process automation organizations?

Workshop Themes

Panelists and attendees identified several themes during the workshop.

The first of these is the relationship between ICS cybersecurity and process safety. Acceptance of this relationship has been growing in each of these disciplines. The importance of process safety as a driver is one of the fundamental concepts in the ISA/IEC 62443 series of standards, and the ISA84 committee on process safety has published a technical report addressing the security of safety-instrumented systems. Both the NIST cybersecurity framework and the ISA/IEC standards emphasize the need for a risk-based approach to security.

Several groups have been working on a risk management approach that combines security and safety. There is an increased acceptance of a “cyber process hazard analysis (Cyber PHA)” as part of assessing automation systems. Configuring and operating safe and secure automation systems also requires strong management of change processes and the identification of relevant metrics and key performance indicators.

Company executives and board members are also expressing more interest in the security of automation systems. They are challenging engineering and operations staffs to demonstrate that they have addressed security in the design, configuration, and operation of these systems.

Outsourcing and the use of external parties to monitor and maintain automation systems leads to the need for secure remote access. This is particularly true in the case of preconfigured automation systems, often associated with packaged or skid-mounted equipment.

These and other trends have led to the need for increased collaboration between security and automation experts. Identifying specific roles and responsibilities is key, as is assigning clear accountability for various aspects of security.

Observations and Conclusions

Although the intent was to focus this workshop on the people-related aspects of security management, much of the discussion centered around technical topics and techniques, such as secure remote access, application control (i.e., whitelisting) and network configuration.

While the technical details must be addressed, it is equally important to consider the impact of its technology and expertise on the roles, responsibilities, and accountability of those who support and operate automation systems. Simply adding new expectations and requirements to existing personnel is not a sustainable strategy.

More research is required to determine how to foster the necessary cooperation between the various disciplines and expertise areas. No single model will apply to all situations, but the use of formal competency models and discipline descriptions is essential.

Recommendations

Based on ARC research and analysis, we recommend the following actions for owner-operators and other technology users:

• Define specific needs and responsibilities for ensuring the safety and security of industrial control systems, and assign these to clearly defined roles
• Assess the impact of changing responsibilities and expectations on the workload and effectiveness of automation personnel, and make any adjustments that may be required
• Share your experience with potential models and approaches with others by contributing to case studies and other research in this area

If you would like to buy this report or obtain information about how to become a client, please Contact Us 

Keywords: Competency, Cybersecurity, Process Safety, System Integrity, Cyber PHA, ARC Advisory Group.