SCADA--Where Are The Liabilities?

The regulatory environment is placing increased demands on SCADA systems, driving data capture and retention, documentation, training, security, policy, and reporting requirements.As a result, operators and vendors are taking steps to incorporate the impact of regulatory and legal issues (sometimes referred to collectively as "compliance" issues) into the design and use of the systems.

Legal requirements and trends have placed new emphasis on maintaining compliance, because compliance issues are subject to increasingly aggressive enforcement.Compliance is of great significance in any incident where SCADA systems may be a core component of an investigation, lawsuit, or regulatory enforcement action.Compliance failures have resulted in large fines, jail time, injunctive relief and bad press.

Threats to operators also include the potential for misinterpretation and misuse of data.Knowledge of the data, and the obligation to understand what it means or implies, will be imputed to operators and management.This means responsibility and punishment will reach into the highest levels of management.Operators and management are now facing the potential of charges of negligence being changed to allegations of willful misconduct.In addition, they are confronted with the possibility of criminal liability and increased civil exposure.

Businesses with any form of SCADA-controlled operations must be aware of potential liabilities and take prompt and appropriate actions to minimize them.Personnel with the responsibility and expertise to manage SCADA for and in these businesses are the first line of defense against charges of noncompliance violations and lawsuits.They should be able to recognize the various exposures faced by the company if the SCADA system (or an operation controlled by SCADA) fails operationally, suffers a security breach, or is in violation of compliance issues.

The following scenario illustrates the types of issues that can flow from a failure in an operation, especially a failure where an incident occurs.

If an operation fails in any way that is significant outside of the company, then it usually follows that agencies and other outsiders will become involved."Significant outside of the company" can mean an adverse economic impact on a third party ("the pipeline went down because of a leak, resulting in gasoline supply disruption"), injury or damage to the environment, or injury or death of any person (including an employee).

The outsiders will look at the failure and the company, either because they have the public charter to do so (the FTC at supply disruption, DOT at pipeline safety issues, OSHA at injuries or deaths of employees, law enforcement or injury or death of third parties, the EPA at environmental issues, etc.), or because they see an opportunity to make money (plaintiff lawyers).The outsiders will look at operations with 20/20 hindsight and, depending on the incident, may look deep into records, security, policies and procedures and the decisions of the company.

Although a failure may be SCADA related, the cause of the problem is usually external to the SCADA system.Provided the SCADA system is integrated correctly (incorporating the Holistic model consisting of operations, security, and compliance), it can actually help supply the answer to what caused the problem.

The SCADA records likely will have a critical place in the midst of the scrutiny.The first hurdle facing the company is ensuring that the records can be produced.There are certain requirements in regulatory schemes for records retention (for example, see 49 CFR 195.404 regarding liquid pipelines in the United States).Failure to produce the required records may not only be a violation, but may also raise a presumption that the company destroyed the data because it has something to hide.If a civil lawsuit is filed, rules regarding evidence preservation may come into play, along with issues regarding records that are part of common law requirements as well as regulations like Sarbanes-Oxley in the United States.

Assuming the records and data are available, they will be dissected to find any "problems" in operations.The scope of the investigations will not end there.Regulators and plaintiff lawyers will look at compliance, training given to operator personnel, the manuals and policies underlying training, the age of the system, physical security of the system, the ergonomics of the SCADA control room and system, and many other factors to find fault with the company.Even if the incident resulted from a security breach caused by a criminal act of a third party, the company will be held responsible on the theory that its security, because it was breached, was obviously insufficient.

Vendor exposures are also multi-faceted.During the course of an investigation, vendors will be subject to subpoena and discovery by regulators and plaintiff lawyers seeking information about the activities of the vendor on behalf of an operator.Vendors will need to have maintained their working files in accordance with the requirements of the operator's contract.Although contracts normally require the vendor to provide prompt access to its records and files, such access is predicated on auditing by the operator of the vendor's work, rather than seeking to preserve records that may become important during an investigation or litigation.

In the best of circumstances, vendors can plan on having their business disrupted if their client has a problem.In worse cases, the vendor can plan on being a defendant itself.In this scenario, the vendor may face the choice between accepting some liability or blaming its customer for the failure.The latter action may result in the vendor crippling its business prospects with not only the customer involved, but other operators in the industry.

About the Author

Click on the links provided for more information on scada, scada security and risk management.

Relaited Links:

• What is an Internet Auction
• Surviving Financially After Losing Your Job
• Could Trading Make You A Living In These Uncertain Times?