Contradicting paradigms of control systems security: how fundamental differences cause conflicts

During recent years control systems are being integrated with the internet. The integration presents, besides less protection by isolation, more vulnerabilities because of connection to other networks. When IT solutions are imposed upon a group, it causes conflicts due to differences in perspectives between the two groups. To be able to secure the current legacy equipment and to cope with the intensified integration of networks and systems, the values and perceptions on security need to be aligned. Eventually, a shared perspective on security is expected to be vital for the IT/OT, while not underestimating the usefulness of conflicting values. In this article, first the IT/OT integration is explained, secondly literature on IT values and conflict is elaborated and thirdly the future scenarios of control system security are discussed. F.A. Schoenmakers Contradicting paradigms of control systems security (4-2013) 2 capabilities and user base. The control systems needed to become more ‘intelligent’, mainly for two reasons: 1. Organizations required more information for daily tasks. They noticed that computer systems enabled them to gather more data about the business, which could provide them with a more solid base for decision making (Kuipers & Fabro, 2006); 2. Innovations in society and governmental regulations required the electricity sector to make adaptations to their infrastructure. Examples of these innovations are: activate demand response at client side; better incorporation of decentralized generation and storage in the electric grid; maintenance or even improvement of the existing high levels of system reliability, quality and security of supply; significantly reduction of the environmental impact of the whole electricity supply system (Collier, 2010). What currently happens in the control system industry is illustrated by Rod Beckstrom (2012) and his theory on interconnectivity, also referred to as “the connectivity of things” or “the internet of things”. He describes three laws regarding the interconnectivity. (World Economic Forum, 2012): o Law 1: everything that is connected to the internet can be hacked; o Law 2: everything is being connected to the internet, and o Law 3: everything else follows from the first two laws. Beckstrom (2012) tries to indicate that everything which is connected to a network is vulnerable for attacks of hackers. This interconnectivity leads to less isolated, and thus more vulnerable control systems for which three causes can be identified. First, connection of control systems to corporate networks becomes more common and bring them out of their prior isolation. The boundary lines between internal and external networks are diminishing as a result of increased interconnectivity within and between organizations as well as the rapid rise in deployment of wireless technologies (Center for Strategic and International Studies, 2011). Second, commodity IT solutions are used. Offthe-shelve IT solutions are implemented to automate control systems such as Windows operating systems and TCP/IP networking (Industrial Defender, 2012). Third, open design protocols are used (Netbeheer Nederland, 2012). Old control systems had unique protocols, the protocols currently used are more accessible and open. In this manner, attackers can gain (or mostly already have) knowledge about the protocols to enable targeted attacks. The three trends result in a more vulnerable environment for control systems. Therefore, the IT integration in control system requires a sharp focus on a crucial aspect of control systems: cyber security. With regard to cyber security, there is a cause for concern regarding the differences in perspective between groups of persons that are active on the industrial control systems. IT systems are inherently exposed to malicious entities. In order to have an effective security policy, to some extent there needs F.A. Schoenmakers Contradicting paradigms of control systems security (4-2013) 3 to be a shared perspective on security. Two important groups are identified. The operational technology (OT) specialists, who are active on the operational domain, and the Information Technology (IT) specialists, who are active on computer and network security, are bound to work closely together. Based on literature, we expect that (ENISA, 2012): The conflicts in cultural values and the consequent difference in (cultural) perspective cause conflicts that lead to security issues in control systems. A shared perspective on security is likely to increase cyber resilience; attention and commitment to security should increase security (World Economic Forum, 2012). Yet, it has to be recognized that differences in perspective could have a positive contribution to security. The central question in this article is: to what extent are differences in perspective functional and when do they become dysfunctional? The formulated proposition and research question are analyzed with an analytical lens that is constructed on two papers on cultural conflicts. First, with Von Meier’s paper on the causes of cultural conflicts and second. Second, with Leidner & Kayworth’s paper focusing on the implications of cultural conflicts. In the last section a figure is drawn of the relations from issues to implications. Hereby creating the ability to anticipate on the positive and negative implications of conflicting values and/or shared values. 2. Co n f l i c t i n g v a l u e s i n t h e c o n t r o l s y s t e m d o m a i n This paper focuses on two conflicting perspectives in control systems domain: the IT specialist and the Operational Technology (OT) specialist. The IT specialist has two commonly used synonyms: (cyber) security specialist and control system security specialist. Also the OT specialist has two synonyms: (operational) engineer and control system specialist. In this paper the terms IT specialist and OT specialist are used to distinguish between the two groups. In the literature significant differences are found regarding technical requirements and aspects when comparing the ‘business IT’ – generally the domain of IT specialists and the ‘industrial IT’ – generally the domain of OT specialists -. The corporate network is considered as the business IT domain, where in many cases administrative and supportive services are carried out, services like sales, billing, taxing and orders (Ernst & Young, 2011). The industrial IT is considered to be part of the operational network. This network primarily comprises SCADA systems and is usually the operational center of the control system network that actually controls production. In theory, the people working on these different systems have different (group) values, depending on the subgroup they belong to (Byres, Carter, Elramly, & Hoffman, 2003). OT specialists are involved F.A. Schoenmakers Contradicting paradigms of control systems security (4-2013) 4 in the design and operation of systems that have a high physical interaction: the production systems that are controlled interact directly with the physical world. Requirements as safety, reliability and availability (SRA) are valued as the most important design criteria (Stapelberg, 2008). A particular system must be available, with for example an uptime of 99,9%. Also, due to the high physical interaction, safety is important and must be guaranteed. This mostly refers to the (physical) safety of the people who are involved and in contact with this system. The IT specialists are involved in securing system and networks. In general, the IT specialist has a different set of requirements than the OT specialist. In literature confidentiality, integrity and availability (CIA) are the criteria that are valued the most for IT specialists (Wu, 2009). These criteria are reoccurring and seem to be dominant in securing the systems and networks. To gain more insight in what the possible consequences of contradicting values between groups can are, relevant literature on conflicting cultures will be discussed. The literature of Von Meier explains how certain values are inherent to specific subgroups. Consequently problem perception, problem definition and possible solutions are difficult to decouple from the specific subgroup, because in respect to their own values their arguments and perspectives make sense. Contradicting values between groups could cause and/or contribute a great deal to difficulties in securing control systems. The issues with the difference in perspectives occur are at the bottom of the organization, where people influence the organization with practical actions and decisions. Management can decide to invest heavily in security, but in the end the people who work with the security implications have to understand, agree and accept these decisions. Not only understanding is necessary, but also shared values on security might be preferred. A shared perspective could contribute in the decreasing conflicts caused by different perceptions on security. 3. C o n f l i c t i n g c u l t u r e s Von Meier (1999) focusses on cultures as the decisive factor on conflicts in technological innovation. Suppose a technological innovation is available and ready for an organization to implement in their systems. It is argued that there is a difference of interest between two groups. Von Meier illustrates this with an example: the engineer finds the efficiency and reliability of the system of significant importance. While the operator predominately wants to ensure safety. These ‘conflicts of interest’ are believed to be the root cause of failures to adopt new innovations. The conflict of interest impedes to some extent the cooperation between the groups. The most important conclusion of Von Meier was the following: “conflicting values and judgments can arise not only from conflicting interests, but from differences of interpretation” (von Meier, 1999, p. 101). F.A. Schoenmakers Contradicting paradigms of control systems secu