Never forget the human element.
We rely on automated computer systems and automated machinery to keep our infrastructure alive. But we all too soon forget, that automation is a relatively new thing in our society. We believe it is a necessity, when it is merely a convenience.
The attack of Siemens industrial control systems reminds me not that we are vulnerable to attack (which of course everyone is to some degree), it reminds me that before those control systems were in place, we had humans doing those same control jobs. The human element.
Oil platforms, water facilities, power plants and the like were all operated by human beings before they were operated by industrial control systems.
Are we truly in danger? Well yes and no. It depends on our preparation.
If we’ve become so accustomed to automated industrial control that we no longer have human workers that know not only how a specific plant is supposed to operate, but also how to operate it, then yes, we are in danger.
But if we still have human workers that know the intricacies of their jobs, that know exactly what a steam pressure gauge in a power plant should read, and that know how to manually operate (or shut down if necessary) equipment, then we are in no more danger than we were before the days of automated control systems.
Automation, and control systems are all great. They are a sign that we’re moving forward with technology and innovation. But the old days of mechanical valves, gauges, switches, and workers who know how to operate them are as important, if not more important than their high tech counter parts.
Why? Because Stuxnet may be powerful enough to be able to trick my Siemens controller into falling apart at its seams, but no cyber warfare attack is powerful enough to trick an analog pressure gauge into reading incorrectly, or to trick a gate valve into closing itself when it should be open, or to trick a worker into suddenly forgetting that 100psi is right on the money, and 200psi means something is wrong.
So is our safety against a cyber attack like Stuxnet in defense or in offense?
Of course it’s both, but in my opinion it’s offense that is more important and time critical. Eventually every aspect of cyber defense will be defeated somehow or another. Even the most complicated network security architecture will eventually be broken and something new will have to be invented. But offensively we can push ahead. There is absolutely nothing stopping me from unplugging my Siemens controller and operating my plant in full manual mode except preparation and education. Provided that I plan for such a scenario and have knowledgeable workers on hand, no automated system should ever be able to run itself out of control.
Take automation out of the calculation and you’re left with the human element.
So are we safe from cyber attacks as far as our core infrastructure goes? Yes, we are. Provided there are humans who are attentive to their jobs, watch for and are prepared to handle any abnormalities, have the knowledge necessary to attend to these abnormalities, and have the courage to react to them quickly and skillfully.
We lean on technology every day of our lives, but we should never forget the days not long ago when technology leaned on us.
It wasn’t long ago that the human element was the most important part of any operation, not automation, and if need be we must know how to return to that time at a moments notice.
The funny thing about technology and automation is that there is always downtime. There is always a significant amount of time between ‘threat realized’ and ‘threat patched’. With humans that downtime is insignificant. We react immediately to new challenges and to new problems. We are more dynamic than we give ourselves credit for, and with the right knowledge and preparation, no cyber attack will ever cripple our core infrastructure.
Even with defenses on the ready, there are always vulnerabilities. Our offenses however, have always proved dynamic, resilient, and strong. If we are prepared and always cognizant of the human element, no threat from any form of cyber warfare will ever be more than a nuisance to us.