Standards for Productivity and Profit
Wednesday, May 18, 2016 @ 05:05 PM gHale
Knowing Safety, Security Standards Help Executives Make Right Business Decisions
By Gregory Hale
One refinery was running a very complex parallel network and workers knew adhering to standards was the way to ensure a secure environment, save money, keep the system up and running for a more profitable enterprise.
Refinery security experts did a risk assessment and through their understanding of the IEC 62443 security standard they looked at the zones and conduits model which led to a risk analysis that unlocked a series of threat possibilities. That discovery allowed refinery workers to understand where their weaknesses were so they could keep the system up and running which allowed for greater productivity – and profitability.
“Standards help in that they allow us to see the big picture,” said Jay Abdallah, EMEA Cybersecurity Director at Schneider Electric. “They allow us to follow a checklist and implement the recommended guidelines.”
Indeed, part of a defense in depth model calls for segmentation via zones and conduits which is part of the IEC 62443 standard. This model helps lock down a network. Under this scenario, a user should only allow minimum required traffic into zones, and when threats do come through, alarms sound.
A conduit is a pathway of communications that exits and enters a zone. A zone is a specialized area on the network that needs protection.
The threats they understood for the refinery were a release of hazardous products, a process reactivity incident and a process shutdown. They then created a chart that looked at the vulnerability, then the possible threat source, skill levels, potential consequence, severity, likelihood and the risk. When they looked at the process shut down they found an interesting development.
The chart showed the users they never considered the safety system to be a security threat. The safety system was so critical it needed its own zone separate from the control system zone.
As a result of the overall analysis, they ended up protecting the entire refinery with 14 firewalls which cost less than $200,000. To put that number into scale, the cost was small for the huge refinery. For any small- to medium-sized business, the cost would scale much lower.
In an industry that relies upon improving productivity to boost profitability, this was another case of how standards can come to the rescue to secure a system and keep a facility up and running. There is no doubt understanding standards is vital for the technically-minded and process-driven engineering and operational staff, but it is also important for executives that key in on making the right business decisions.
Business of Standards
There are solid commercial reasons to make sure good safety and security standard practices are part of the design and operation of the plant:
• Meeting standards will drive better engineering practices
• Overall costs will go down
• Plant efficiencies go up
• Operations costs go down
• Maintenance costs go down
• Insurance premiums will reduce
• Does not cost more to do it properly
• Applied improperly could cost the company severely
Standards Bring Advantages
From an executive level, knowing the benefits and advantages of following standards will boost productivity and profitability.
“There is the carrot and the stick. The carrot is meeting those standards will drive better engineering practices and overall costs will go down, plant efficiencies will come up, operations and maintenance costs and insurance premiums will reduce,” said Sven Grone, Safety Services Practice Lead for Asia Pacific & Middle East at Schneider Electric. “studies have proven what those elements will give you. There are good commercial reasons to want to make sure good safety practices are part of the design and operation of the plant.
“The second part of the commercial argument is at the end of the day the spend on safety automation in the context of the plant build is peanuts in the context of the overall spend. So it doesn’t cost them a lot to do it properly. The other side of the argument is if you do it wrong and have a failing that leads to a significant incident, it can be a company killing incident. If you look at what BP had to spend (on the Deepwater Horizon incident in the Gulf of Mexico), it has been over $25 billion since 2010. For most companies, that would have been a company killing event. Getting it wrong is bad, but doing it well can have commercial benefits.”
That falls in line with research reports that show policies and practices often supported by standards of top tier responders differed sharply to those that are less proactive in the bottom tier.
Top tier security providers are 2.5 times less likely to experience a major cyber attack and 3.5 times less likely to experience downtime, according to a report from Symantec. In addition, the report showed bottom tier organizations did not train employees on security best practices as often and they were likely to suffer heavier losses after a successful cyber attack.
Bottom tier organizations suffered 2,765 hours in cyber-related downtime, compared to the 588 hours suffered by the top-ranked organizations, according to the report. Any executive would jump at the chance for an additional 2,177 hours of uptime.
In another study from Aberdeen, it showed how top tier safety players compared to the bottom tier. A manufacturer that was in the top tier of safety levels would have a 0.2 percent of repeat accident rate, 0.05 percent of injury frequency rate and 2 percent of unscheduled asset downtime.
That compares to bottom tier performers that have a 10 percent repeat accident rate, 3 percent injury frequency rate and 14 percent of unscheduled asset downtime.
Advancing Company Policies
Yes, standards are technical in nature and can make any executive scratch their head in the minutiae, but understanding what they could mean to the company can help lead to an overarching operating procedure.
“Industry standards are great because they provide best practices and recommendations and so on, but the corporation has to decide what they are actually going to do,” said John Cusimano, director of industrial cybersecurity at safety and security integrator, aeSolutions. “The way we are using standards is they have significant input into the development and writing of internal corporate secure system standards. Most of my clients have or are developing industrial control system specific internal standards. What they will do is look across the list of available standards, which almost always includes the IEC 62443, and the NIST Framework to leverage them to provide the common structure companies are adopting. And industry specific like the American Petroleum Institute (API) for petroleum or other industry specific standards will also be brought in. What eventually happens is they will take those existing standards and whatever internal standards they have and create a corporate specific document.”
Security Framework Grows in Usage
Standards often take time for manufacturers to adopt them, but within two years, the Cyber Security Framework now sees use by 30 percent of U.S. organizations and that number could reach 50 percent by 2020.
Two years ago, the National Institute of Standards and Technology (NIST) released a document designed to help strengthen cybersecurity at organizations that manage critical national infrastructure such as banking and the energy supply.
Produced after a year of intensive collaboration with industry, the Cybersecurity Framework is now a tool used by public and private companies and organizations, from retail chains to state governments.
Executive Order 13636 issued by President Obama called for NIST to work with stakeholders to develop a voluntary framework based on existing cyber security standards, guidelines and practices to reduce risks to the nation’s critical infrastructure. Through an intense schedule of meetings across the country, NIST convened organizations large and small and from a variety of industries to shape the framework in just a year.
The framework is now used by 30 percent of U.S. organizations, according to the information technology research company Gartner, and that number will reach 50 percent by 2020.
The framework helps translate sector specific risk management jargon and “creates a common understanding amongst the sectors around various risk management terms and phrases,” according to a report by the Financial Services Sector Coordinating Council (FSSCC).
The FSSCC report also observed that “Chief Information Security Officers have been using it to communicate ideas and achieve ‘buy-in’ for various cyber security initiatives. Externally, institutions are using it to communicate expectations and requirements to non-sector vendors and third parties.”
The framework is a risk-based approach to managing cyber security. The framework’s core ideas — identify, protect, detect, respond and recover — help users evaluate their cyber risk and develop plans to manage it. It can guide them as they determine the cyber controls they choose, with consideration of any regulation or standards that may apply to their particular industry sector.
The document is also “a merger of business sense and cyber-logic,” said Matt Barrett, NIST’s program manager for the Cybersecurity Framework. “It allows organizations to choose controls and processes that work for their particular risk levels and mission or business needs.”
Yet, another idea behind standards is not that they are technically-focused, but everyone within the organization needs to have an understanding of the meaning behind them.
“Any standard applies to anybody in the organization that has direct or indirect responsibility for a process),” said Farshad Hendi, Safety Services Practice Lead, Americas & Europe at Schneider Electric. “All need to be aware of the risks and the consequences, the standard needs to help them understand what they don’t know. The first thing we need to know is what do we not know. For plant managers, it is very important they know about the consequences that could happen to their plant. Incidents happened in Bhopal or in Texas City; if the people working in the plants had proper understanding of what could happen to them as a result of the mishaps, they would be more careful.”
The beauty of standards is they can give a solid framework from which to work.
“ISO 9001, which is a quality assurance standard, says you have to come up with a quality plan and procedures on how you can execute the plan, then record and document the fact you executed and then look for ways to improve and reduce your risk,” Grone said. “If an organization is following the standard and doing that on a regular basis in terms of auditing and continuously improving then they will be as safe as they can possibly be according to their own risk profile. That is not to say that companies that don’t follow the standard are not safe, it is just they are not able to sufficiently demonstrate they are as safe as they can possibly be, which leaves them exposed if there is an incident.”
“Standards create a baseline as to what organizations should be doing at minimum level of compliance. That is the baseline for a standard operating procedure across every system in your organization. If you do this you are more secure than you were before,” said Joshua Carlson, Cybersecurity Manager for North America at Schneider Electric. “It also gives us the ability to measure ourselves. We can go back and ask: Do I have a good firewall in place? Does it minimize ports and services capabilities? Do I have end point security protection with antivirus? Whitelisting, device control, removable media control: Do I have them in place and are they up to date? Measure yourself against each of those components, back ups, disaster recovery, procedures and capabilities and you can say I have a good baseline coverage across the group.
“Some users measure themselves against the standards, then take it up a notch, or three or four, and say now that we have successfully done this for the past few years, for 2016 we will bring in an event manager, an event log manager, a log aggregator, some of the more traditional IT tools to capture network traffic and do some advanced analysis that organizations and standards don’t require or recommend at this point. Standards set a baseline to help determine where we stand today and then two years from now that marker can be moved a bit further down the road.”
“Yes, standards get you to a certain basic level. I have seen companies define the minimum level they expect their assets to achieve,” said Steve Elliott, Senior Director Offer Marketing for Process Automation at Schneider Electric. “One such company had a range of upstream assets of different vintages they acquired over the years that came with a lot of baggage. They had to define the minimum standard acceptable for those assets, versus the gold standard of where they want all those assets to be, so it is a journey. It is continuous improvement process, difficult when you consider the assets were built 15 years ago when the considerations of standards in place were not the same.”
“ISA 99 and IEC 62443 (security standards) definitely give us guidelines, but they are not bulletproof,” Abdallah said. “When we really talk about this, it all comes down to risk and how we can manage it. We need to manage risk because we will never be able to eliminate it.
Standards really come into play when there is an incident and it gets into litigation or insurance, then people come in and measure what are the industry practices and were you doing things according to industry practices.
“Industry practices are determined mainly by what the standards are,” said Nasir Mundh, Global Director Safety Services at Schneider Electric. “That is what your peers are doing. That is why your peers got together and built it. The standards committees are made up of people from the industry. They are not government-appointed people and not bureaucrats. Why is it important to follow the standards? That is how you are being measured, that is how you are going to be judged.”
Knowing how your organization will end up judged and converting your weaknesses into strengths are all main factors in applying standards from the plant floor up through the executive suite.
“Accidents may still happen, but if you are doing all the right things and are following all the process and procedures then it is an accident,” Mundh said. “But if you are not, then it is neglect.”