You may recall our Cyber-security expert Bob Huba from some earlier posts on this topic. Bob has done an excellent recap of the Cyber-security presentations from the recent Emerson Exchange which I’ll pass along to you with some relevant hyperlinks:
The 2006 Emerson Exchange contains a significant increase in the number of system cyber-security presentations over past years. This indicates the increasing importance of system security in the minds of process manufacturers–since the user community actually develops the presentations and the agenda for the Emerson Exchange.
Last year there was only one short course and a couple of workshops on security. This year there are 2 full days of security presentations–basically the same presentations repeated each day to offer more opportunity for users to schedule time for the sessions. The Emerson Exchange Board doesn’t usually schedule two sessions unless they feel the subject will be popular.
One highlight of the security sessions is the popular Idaho National Labs short course initiated in the 2005 Emerson Exchange–back again this year for two four hour sessions. The presentation, made by the highly knowledgeable presenter from INL Mark Fabro, held the rapt attention of 75 attendees. The course will be repeated on Thursday for those that attended the other cyber-security workshops scheduled concurrently with the INL course for this morning.
The other security workshops today had excellent attendance as well. One of our Pulp and Paper customers discussed how to keep your DeltaV system anti-virus scanners up-to-date using automated tools and procedures to download and distribute the signature updates. Another presented a user viewpoint on system security do’s and don’ts. And I, the DeltaV marketing manager for DeltaV security, spoke on the DeltaV security enhancements, including the details on the new DeltaV Controller Firewall, to a packed room. Part of my presentation also included a section comparing a control system security program to a plant safety program. That like safety, a security program includes a significant effort on user education and training. We all need some basic cyber-security efforts and we just need to do something now rather than waiting for some complicated security program to develop.
Mark Fabro led an afternoon workshop discussion, “CyberSecurity Who Needs It” on how to understand the emerging threats and the practices countermeasures we can develop to mitigate these threats. We really need to have suppliers, users and the public sector to work together in this effort. Mark thinks there is a lot of fear, uncertainty and doubt in the user community about the “real” threats and how to mitigate them. Next was a refining customer with a management-oriented workshop on “Cyber Security and your Bottom Line”. He was making the point that management is reluctant to spend the money on security. They need to justify how does this “help us make better oil” where better question might be “how does security keep us making oil”. If your assets are at risk–water, power and environmental systems how long can we stay running? He also made the excellent point that when setting up a security policy that it “if it is important enough to make it a policy it is important enough to fire somebody for violating it.”
The final presentation of the day was by two Oil & Gas customers with their presentation on “Cyber Security in a DeltaV Environment: A Harmonious Relationship”. It was attended by over 50 people. Being the last presentation after a long day of being “PowerPointed” to death shows the serious concern manufacturers have about cyber security. They recommended a NIST publication 800-37 to help users develop their security program. A point was made discussing a key security concept–called “Defense in depth” and defined this as the concerted use of multiple security techniques to mitigate the risk of compromise to an acceptable level. At the same time they strongly advised that process user to be sure and use Defense in Depth techniques that are appropriate for use in the control systems and to not blindly deploy IT-based solutions that might impact the availability of the control system.
All in all, the Emerson Exchange developed an excellent and well attended set of control system cyber security workshops that provided process manufacturers with some great and pertinent information on keeping their DeltaV control systems as secure as possible.