1 May 2017

Currently, I’m working on a paper for safety engineers about cyber security requirements for Safety Instrumented Systems (SIS). For preparation I examined some of the existing publications from other European countries, e.g. the paper ‘Cyber Security for Industrial Automation and Control Systems (IACS)‘ from the British Health and Safety Executive (HSE).

In the chapter ‘Note 5 – Define and Implement Countermeasures’ one reads:

A hierarchical approach should be adopted, for example prioritising implementation of measures such as inherent resilience, and prevention (e.g. physical security controls, authorisation and authentication) over other measures for detection.

That is diametrically opposed the Gartner’s advice ‘Shift Cybersecurity Investment to Detection and Response’. Gartner’s Sid Deshpande said in an interview:

Gartner is now recommending to companies that they shift their security spending to have at least 60 percent of their security budget to be spent on detection and response, up from 10- to-15 percent today.

I think Gartner’s advice needs to be seen in the context of the industry where one works. IT security deals with Confidentiality, Integrity, and Availability (the CIA) issues. Every industry has specific requirements regarding CIA issues. For example, integrity of product and production plays a higher role in pharmaceutical production than in the process industry. This is be shown very well with a spider diagram:

CIA-Diamond. Click to enlarge.

In general, Gartner’s advice is useful where we have a high demand for addressing confidentiality issues. In industries, where integrity plays a major role, the Gartner advice is less useful because you cannot wait until a customer or the FDA detects that a drug has a wrong composition.

CIAS-Diamond. Click to enlarge.

Safety is a game changer. As soon as we face medium or high safety requirements, Gartner’s advice is counterproductive.

Have a great week.