Bryan Owen

Process industry isn’t ready to jettison the Purdue model

Blog Post created by Bryan Owen on Jun 5, 2016

Over lunch a colleague posed the question: Looking ahead, what industrial cyber security issue concerns you the most?  It’s a fun question in security circles and generally responses get more interesting around late night fireside chats.  What’s fun is everyone can weigh in. Whether user, business person, public watchdog, or anarchist – the diversity in perspectives makes for good conversation.


Although responses cover a wide range there are some common themes:


Doomsday scenarios

Security analysis conditions us to not only think about what can go wrong but, also what can be induced to go wrong (my apologies to Murphy’s law fans). However like many engineers, I am biased toward optimistic forecasts thus my responses tend to steer clear of doomsday issues.


Internet of Threats

Popular these days is to respond with concerns over security issues related to Industry 4.0 and IoT devices. A counter to this position is to compare IoT to the legacy installed base of insecure by design control system technology. Modernization with newer technology likely brings more security upside than status quo.


Cloud Computing

Stickers reading “There is no cloud. It’s just someone else’s computer” sum up this perspective. Trusting someone else to safeguard all your data is indeed a long term issue but, this isn’t as popular a concern as it used to be a few years ago. We are now observing a rapid pace of security innovation because of cloud services.  In comparison, traditional on premises solutions are a pain to update and monitor for security assurance.  However there are still plenty of concerns along the lines of a  tweet from Marina Krotofil with a Purdue Layer 6 diagram that sparked plenty of snarks.


Social Engineering

Human firewalls are a long standing favorite discussion category. Can we really claim meaningful progress over the stories from Mitnick’s classic “Ghost in the Wires”?  I hope so. IT defenses can and must elevate to neutralize phishing and ransom scams that rely on social engineering to prey on innocent victims.  More importantly in OT, as we pursue automation, is understanding when open loop systems are most appropriate.


So how did I respond?  Yeah, it was a derivative of ‘Internet of Threats’. Looking ahead is concern about consumer grade IoT devices spilling over to industrial use cases for which they were never intended.  It’s happens innocently (eg a home router used on factory floor) and seems many are on a path to repeat this kind of mistake. Closer to home, the Jeep hack involves a stereo system connected to the Controller Area Network (CAN bus). Adjusting volume for speed was with good intention but this implementation resulted in a glorious failure.


The stakes are even higher for most OSIsoft customers. Process industry isn’t ready to jettison the Purdue Enterprise Reference Architecture (PERA) model and maybe never will be. More generally, we do need to build and operate systems that are ‘fit for purpose’. 


In closing, the optimistic view for industrial cyber security can be achieved with a community effort. For OSIsoft, we see the security development lifecycle process as essential to building software that is ‘fit for purpose’.