Page 88 - Cyber Defense eMagazine July 2024
P. 88

the furnace under  one of your crackers?  Would you prefer a mechanical,  spring-loaded  over-pressure
            relief valve that, if the cracker over-pressurizes,  is forced open mechanically  to route hot hydrocarbons
            to a flare stack? Or would you prefer a longer password on the computer controlling the furnace?

            Most people answer that they would prefer a mechanical  valve – these valves have no CPUs after all,
            and thus are in a real sense “unhackable.”  True experts  respond that they want three or four of these
            valves, thank you, because there are risks of corrosion and metal fatigue that might impair the operation
            of a single valve.  And they want a longer  password on the computer  controlling  the furnace.  And they
            want an absolute “boatload” of cybersecurity  in addition to these two measures  – this is their life on the
            line after all. This latter answer is the correct one – when we “spend the CIE coin,” we do not spend one
            side of the coin or the other. We spend the whole coin.

            But  think  about  it  –  where  is  the  over-pressure  relief  valve  in  the  ISO  27001  standard?  In  the  NIST
            Cybersecurity  Framework?  Or  even  in  the  industrial  IEC  62443  standard?  There  is  no  hint  of  over-
            pressure relief valves or other engineering tools in those standards – these are cybersecurity standards,
            not  engineering  standards.  Safety  engineering,  protection  engineering,  automation  engineering  and
            related  disciplines  all have  powerful  tools  at their  disposal  to address  all  threats  that can  bring  about
            physical operations.  These tools have not been applied universally  nor systematically  to address cyber
            threats but should be.



            The Most Significant Change In a Decade

            CIE is arguably the most significant change in OT security in over a decade. When engineering  teams
            and even  many enterprise  security teams  learn  about CIE,  they often react  with something  like, “This
            makes so much sense. Why is this new? This shouldn't  be new. Why have we not been looking at the
            problem this way since the beginning?”

            Engineers  understand  consequences,  physical  process  design,  and  a  wide  variety  of  “unhackable”
            electro-mechanical  and  other  protections  and  need  to  come  up  to  speed  on  cyber  threats  and  the
            applicability of their tools to cyber threats. Enterprise security understands threats and the “boatload” of
            cybersecurity mitigations that can be deployed as needed for those systems that do not yet have electro-
            mechanical or analog mitigations. With each team contributing their unique knowledge and perspectives,
            the OT security problem suddenly becomes tractable and affordable.


















            Cyber Defense eMagazine – July 2024 Edition                                                                                                                                                                                                          88
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   83   84   85   86   87   88   89   90   91   92   93