As we’ve discussed in prior cyber-security posts, process manufacturers are increasingly concerned with how to best secure their automation systems and plant sites.
At the recent Chem Show, Emerson’s Bob Huba presented, Control System Cyber Security–A Different Approach. He describes that what seems to be lacking is a model for implementing security that we can understand and explain to plant personnel.
The approach Bob describes is to think about cyber-security efforts like a plant safety program. Like a successful safety program, a successful security program requires that plant personnel develop an “attitude” around security. Responsibilities are clearly assigned. People (operators, engineers, supervisors) take responsibility for security of their areas.
Procedures for control system security policies are clearly documented. And, training is formalized so that these security policies are well understood in the same way plant safety procedures are understood by all plant personnel. This training includes an understanding security processes and potential risk areas of which to be aware.
This model includes a focus on awareness for personnel to recognize and prevent insecure behavior and a mechanism to report problems and concerns. Like the safety program, measurement is important. A culture needs to be established where security incidents and insecure actions are reported and summary reports are communicated to provide evidence that security is being measured. Celebrating success is important to keep plant folks motivated.
Audits and enforcement are another key part of the model. Are the established procedures being followed and are actions established to fix any findings identified in the audits? Again, like plant safety, these efforts must be ongoing to be effective.
Bob proposes this model because it’s well understood by the operations organization, it’s implemented at the right levels in the organization, the processes and procedures are localized for the plant, and procedures are specific for the installed automation system(s). Taking this approach requires a champion and Bob recommends this role should not be delegated to the IT organization. It is better that this person be from operations and teams be established for different areas of responsibilities including the IT organization.
All of the specific security measures, like those referenced in Best Practices in DeltaV Cyber-Security whitepaper, are very important–but so is the process of establishing a security-minded culture.