What does OSHA teach us about industrial cybersecurity? Clearly, high cybersecurity risk could increase risk of industrial accidents, but OSHA’s model can help in other ways. Prior to 1970, worker safety in industrial settings was considered a secondary concern. Executives managed safety on an exception basis. Few organizations tracked employee injuries and even fewer measured or managed lost time due to safety incidents. Business lobbies argued manufacturing environments were safe, incidents were rare and impossible to eliminate without impacting industrial innovation. Companies managed “performance” metrics such as cycle time, throughput, cogs, etc., but executives downplayed safety for several reasons, which may sound familiar to people involved in industrial control system (ICS) cybersecurity.
- Deaths were seen as affecting an inconsiderable portion of the total population of workers. In most cases, it was due to employee error rather than environmental factors. Most companies hadn’t been impacted by a serious incident.
- The economic impact of worker injuries or sickness was small. Few plants had been shut down by safety incidents, and the cost of healthcare didn’t fall on the company.
- There was no way to measure safety incidents in any consistent way. When they occurred, no one truly knew what to report or even wanted to report it.
- There was no way to track the contributions to greater safety risks. The only measures were “outcome”-based – i.e., detecting an incident after it happened. Most organizations could not track or manage the leading indicators of risk.
OSHA changes manufacturing, worker safety
In the late 1960s, the manufacturing industry began to change. The watershed moment in the United States was the passage of the Occupational Safety and Health Act and creation of the Occupational Safety and Health Administration (OSHA) in 1970.
Now, 50 years later, safety is merely expected, and organizations measure and report on safety from the individual plant and facility levels all the way up to corporate metrics. The United States National Security Council estimates deaths due to workplace injuries is one-third of what it was in the 1960s.
So what changed? Why did industrial organizations from the United States to emerging markets measure and manage safety more closely?
- Government and private sector regulation forced a reckoning as local, state and national leaders responded to the pressure from unions and employees to protect workers. OSHA allowed the federal government to set standards and penalize companies for poor safety practices – not just for those who had incidents. Insurance companies were on the hook for workers’ compensation claims and instituted audits to ensure organizations followed best practices on leading indicators of injuries that may correlate to insurance claims.
- Organizations measured all events including smaller incidents that were previously ignored. This data on reportable incidents, which was publicly disclosed in anonymized data, allowed organizations to put true costs to the reality of hidden workplace injuries or sickness.
- Finally, companies found a way not just to track the outcome (i.e., injured workers), but also the “input” that could be managed to reduce the number of safety-related incidents. Tracking and managing these leading indicators allowed management to discover what enabled risks. In addition, OSHA and other government agencies around the world funded research on what leads to an increase in risks. Facilities and plants reported on their compliance with standards such as safety lanes for traffic in a plant, the use of hardhats, etc. This began a cultural shift which included it in training and implemented regular safety messages prior to group meetings.
Three manufacturing lessons for cybersecurity from OSHA
This begs the question: Is the OSHA model relevant for cybersecurity? Can our experience of dramatically improving industrial safety through OSHA inform how to address industrial cybersecurity? The answer is yes. We can apply many of the same principles and approaches to addressing cybersecurity today as we did 50 years ago in safety. That said, manufacturers should not expect immediate results or quick fixes.
There are three keys to achieving similar improvements in cybersecurity as in safety:
- Change requires recognition of the impact of cyber-related events on safety, production, and potential external organizations. Today, a general refrain sounds like, “Well, hackers haven’t impacted my operations” or “I’m too small, too insignificant, too something to be a target for an attack.” Hackers have managed to inflict damage on several industrial companies, but the public announcements are still few and far between.
This is very similar to the safety situation 50 years ago. Incidents were rarely reported and there was little research on actual rates. Today, this is the issue in ICS security. While some may discount reports on the number of ICS incidents, we don’t know the answer without transparent reporting. Will this require government action as with OSHA? Perhaps.
Research indicates that corporations make cybersecurity investment decisions based on cost-benefit modeling (see Loeb et al. “Increasing Cybersecurity Investments in Private Firms” 2015). Corporations invest based on their analyses of potential risk and impact. The research by Loeb et al also indicates that amount is less than optimal based on “option theory” and negative externalities (i.e., impact on other companies or individuals) that are not included. These cost-benefit trade-offs cannot succeed without transparent incident reporting and the negative impact from reporting creates disincentives. Uncovering the real extent of the threat and its impact to the economy requires similar government intervention to bring the information out of the shadows.
- Incident cybersecurity reporting, however, is not enough. Just as in safety, the real impact does not come with just reporting major incidents – e.g., ransomware or a malware infiltration, etc. Progress requires measuring and reporting on the inputs. In cybersecurity, this includes data on vulnerability status, patch status, insecure ports and services, misconfigured devices, and user and account insecurities. These are the “inputs” that increase the risk of attack. Safety in manufacturing only improved once the root causes started to be measured. One can think of an unpatched critical vulnerability similar to yellow lines not being painted to ensure safe operations or employees not wearing personal protective equipment (PPE), etc. They are the contributors to incidents. Just like in safety, organizations struggle to measure these critical inputs.
- Delivering meaningful cybersecurity improvement comes when these inputs are not just measured, but managed, as well. It is not enough to measure the key inputs to cyber risk such as vulnerabilities, etc. To achieve impact, they must apply targeted remediation to reduce those risks – and report on those changes in risk inputs on a regular basis. Just as in safety where organizations employ scorecards to track the “leading indicators” of injury, ICS organizations must track cyber measures as they move from red to green.
There’s too much focus on incident or anomaly detection in ICS cybersecurity today. This is like measuring safety events after they occur. Real progress occurs when companies use tools that provide deep visibility of 360-degree cyber risks, but also have the capability to manage those risks to demonstrate improvement in the “leading indicators” of cyber incidents.
Success in stopping ICS security incidents is feasible, but requires a focus on measuring, managing, and reporting on the input metrics rather than privately acknowledging cybersecurity incidents after it’s too late.
Cyberattacks on SolarWinds and Oldsmar: CEO Interview Series, John Livingston, Verve Industrial
Increasing Industrial Cybersecurity Threat: CEO Interview Series, John Livingston, Verve Industrial
Five questions every CISO should ask about OT cybersecurity