A provocative title to be sure, this was the title of a workshop given at the recent Emerson Exchange by Emerson’s Bob Huba and James Robinson. You may recall Bob from earlier cyber security-related posts. James is a member of the Emerson corporate IT team and is steeped in the knowledge and perspectives of IT professionals.
The Industrial Safety and Security Source blog captured their workshop in a post, Emerson: Security Starts with Talking. A focus of this session was to highlight the different perspectives process manufacturers’ IT teams and plant operations teams have when it comes to security. These different perspectives lead to much of the conflict that exists between these organizations at many plants.
Bob and James performed a role-play with Bob representing plant operations and James representing plant IT. In the ISSSource.com blog post, Bob sums up a key difference:
In the IT world, they want confidentiality and they are not as worried about availability… I want high availability and am not as worried about confidentiality.
James noted another important difference with respect to lifecycle:
IT works faster. In four to five years (in a non manufacturing environment), you will have a new system, but a control system will be around for 15 to 20 years.
During their role-play, they highlighted everyday issues that can lead to interdepartmental conflict:
…such as patch management, scanning the system, antivirus/anti spyware software, penetration testing and hardening the system…
The solution is to sit down and talk to understand each department’s perspectives. This is not an overnight process, but it is critical to find common ground to satisfy the availability needs of operations and the confidentiality and security requirement of IT. These discussions should lead to the creation of:
…standards, policies and procedures so there is a plan in place so everyone can follow on the same page.
Part of the process in creating a security-minded culture to address the ongoing threats posed by viruses, worms, malware, and other challenges is to create these necessary communications paths. The role-play by Bob and James helped to expose their workshop attendees to these different perspectives and hopefully a bias for action for creating or improving the necessary security policies and cultures.