Do you know what this is? The subject makes it seem obvious right? Just another topic that doesn’t have anything to do with industrial automation! Well, not exactly; there was a time when that was a true statement, and risk management didn’t have anything to do (or much to do) with manufacturing. Except, of course, when designing the machine for a new process–risky business, that is. That isn’t however, the risk management that I wish to speak of today; it has a place, and they both are closely related early in a project, but I digress.
Today, this risk management is about information security risk and the resources used on the factory floor. Do you have a computer controlling a machine that is running Windows Embedded? Is it connected to the network? Might be a risk; even if not connected to the internet, it is still at risk. How am I so sure? I held a meeting with a cross-functional group of my peers and conducted a risk assessment. In this assessment, we listed all the possible risks and attack vectors. We went into detail and argued back and forth, then we attached the probability of each of those risks being exploited, and from the list, those Windows Embedded boxes ended up quite high on the risk list, not because Windows is insecure.
On the contrary, Windows is quite secure when kept up to date. Unpatched, un-updated windows machines connected to other similar machines. That is an invitation for malware to come on in and have a look around.
In that meeting, we conducted a qualitative examination. It was qualitative because we didn’t attach a precise number to rank the probability of each risk. Instead, we went with our gut and educated guess. Because the meeting had a cross-functional group, it was less likely to skew the results to a risk that wasn’t likely but felt really bad. You know like the chance of a terrorist attack in rural Iowa; sounds really bad but it is probably extremely remote. So we determined we didn’t need to spend resources protecting from a terrorist attack, but we did decide we should set up a schedule to push patches and updates to all of the machines in our factory.
Want to know more?
Johnson, R. (2015). Security Policies and Implementation Issues. Burlington: Jones & Bartlett Learning.
Project Management Basics. (n.d.). How to Perform Qualitative Risk Analysis for the First Time. Retrieved from Project Management Basics: https://pmbasics101.com/how-to-perform-qualitative-risk-analysis/
Stackpole, B., & Oksendahl, E. (2011). Security Strategy. Boca Raton: CRC Press.
Whitman, M. E., & Mattord, H. J. (2018). Principles of Information Security. Boston: Cengage Learning.