Cybersecurity in automation — legality and ethics
There is some misunderstanding on what’s required legally, and a lot of indifference on what should be provided ethically.
Do you know what your requirements are for cybersecurity on your projects? Are there any legal requirements for you to specify? Is it ethical for you to ignore the topic, or make the client responsible? Or, should the installing contractor provide a solution?
What the Experts Believe is Required
While attending a conference in Atlanta, I sat in on a session on the topic of cybersecurity hosted by a panel of industry experts. The session was on how the building automation industry is responding to the needs for cybersecurity on automation systems. The panel was a mix of manufacturer representatives, standards committee members, and other expert consultants.
In summary, there is some misunderstanding on what’s required legally, and a lot of indifference on what should be provided ethically.
What Really is Required
Legally there are requirements for cybersecurity on all federal projects. The 2002 Homeland Security Act, which includes the Federal Information Security Management Act (FISMA), applies to every government agency and includes mandatory policies, principles, and standards. Since 2002, there have been additional follow-on laws, executive orders, and (what we see most often) simple contractual requirements. Each of these further clarify the requirements for cybersecurity.
There are a handful of state requirements as well, but usually these focus on information technology and not automation systems. The data generated by our automation systems are more likely to be covered, but an appropriate resource should be consulted to make sure of any impacts to your projects.
As far as I am aware there have been no regulations passed that cover commercial projects, though there are some healthcare and financial cybersecurity laws that could have an impact indirectly on a commercial project in those sectors. Some contractors might have a different opinion. Even without regulations requiring cybersecurity, they were subject to substantial legal and business consequences. These resulted from their failure to protect clients from gaps in their automation cybersecurity.
Think About What You Would Want
Although I’m not a lawyer, and don’t claim to know the full details of these laws, I do know that ethically we have a requirement to protect the safety of our clients, regardless of who they are. We don’t buy a house and not protect our investment. We get the keys to it, the title, and insurance to cover it for the what-if scenarios.
Think ethically about what the client should have at the conclusion of the project. Do they have the login credentials? But did you, or the contractor, keep a copy? Does your client have all of the certificates stating ownership and allowing them to make decisions about maintaining and upgrading their systems? Did you insist on a fence (firewall) to protect them from some neighbors or bad terrain nearby?
My Focus (and Hopefully Yours Too)
We need to make cybersecurity a priority to our clients. Cybersecurity is not an afterthought, it’s not someone else’s responsibility, but it is a real and legitimate requirement for any automation related project.