Human Centered Design is Key to Industrial Control Systems Security and Safety
In reviewing material about Industrial Control Systems (ICS) there is one element that, in my opinion, is the most important factor to consider - especially in light of the recent hubbub about Stuxnet and ICS Security. That element is human centered design.
Every aspect of the control system life cycle, whether it is Concept, Design, Construction, Operation, Maintenance, Safety or Security, includes the human element. It is nothing new, but we all see time and time again where human factors, rather than technical factors play a major role in security and or safety issues.
Example 1: The Three Mile Island Incident
The incident at the Three Mile Island Unit 2 (TMI 2) nuclear power plant occurred on March 28, 1979 near Middletown, Pennsylvania. My point in using this reference today is that a significant factor that contributed to the disaster was operator confusion. The operators did not realize that the plant was experiencing a loss-of-coolant, even with alarms ringing and warning lights flashing. They in fact took a series of corrective actions that made conditions worse.
Example 2: Stuxnet
In my reading of the various reports on Stuxnet, consensus appears to be that the initial point of infection was via a portable storage media device such as a USB thumb-drive. Someone had to plug this portable media device into a computer at the target site in order for the ICS system to become infected with the malware and payload. Once again the “human element” has a feature role in the incident. (See Eric Byres' article The Stuxnet Mystery Continues for more information on Stuxnet propagation.)
Human Centered Design is becoming a focus for ICS security
In both of these cases (and many more) it seems that learning from the mistakes of the past is a forgotten art. Thankfully recent developments in control systems design appear to be correcting this oversight by quantifying the value and benefit of ICS human machine interfaces (HMI) and making them more human centered by design, not by afterthought.
A positive action is that a number of the leading ICS companies formed the Abnormal Situation Management (ASM) Consortium. Its purpose is to develop and advocate best practices for avoiding plant operational disturbances, and this includes addressing the human usability and operability of control systems.
ASM’s research aims to insure that the transfer of information and situational understanding between technology tools and humans is accurate, so that proper awareness, corrective actions and decisions are taken.
What we need to do is to build upon the good work that has been done on operator interfaces and operating environments, plus the lessons learnt from previous incidents, and “bake” this knowledge into all aspects of the ICS life cycle, including ICS security and safety systems.
Lessons from the past still relevant
I thought I would highlight some points from the findings of the 1979 Three Mile Island investigation:
- That plant and equipment design requirements are upgraded and strengthened
- The requirement that plants MUST be able to shut down automatically
- That human performance is taken into account as a critical part of plant safety
- That operator training and instruction must be adequate
- That it is crucial that safety related problems are identified early
- That disturbance-related system data is collected and assessed so lessons of experience can be shared and quickly acted upon
- That both plant performance and safety performance are validated
- That risk assessment methodologies are used to identify vulnerabilities
How many of these findings are still relevant to your overall control system, especially control system SECURITY today? I think that this list is every bit as important today as it was 30 years ago – and I would love to hear your opinion.
This article is a special guest contribution by:
Practical SCADA Security thanks Ron for this article.