Protecting what matters most

I heard some surprising and insightful conversation from a pair of young schoolchildren the other day.

Joedamadman: Thomas School Bus

They were chatting about riding the bus to school. One of them said, “I don’t understand why the bus driver is the only one who gets a seat belt.”

“Yeah”, came the response, “and he’s the oldest one!”

Although they couldn’t tell you so, these¬†two students were already grasping some important concepts about safety, security and risk.

  1. They honed in on the purpose of the school bus — to get *the students* to school safely (rather than the driver).
  2. They did a comparison of useful remaining life — reasoning that it makes more sense to worry about the children, because they have longer to live than the bus driver.

Those same thoughts have a nice analogy to ICS security.

  1. Whether your business is generating electricity or making cookies, your most important computing assets are those controlling the industrial process — it’s the production network that is making you money! You should not ignore its safety and security while only investing in protection for the “enterprise side”.
  2. Withe a limited budget you’re going to have to choose where to dedicate the most resources. There may be significant challenges with securing older plants. If you are going to build a new facility it is your chance to invest in a lifetime of a more-secure, more-safe control system. Focus your security efforts and budget where they will serve you the longest.