Over at the Digital Bond blog, Dale Peterson has a series of posts on cyber security strategies that automation suppliers are taking to work with their respective customers. His first in the series is ICS Vendor Security Strategies – Part I Emerson’s Let Us Do It All. The post analyzes the Power & Water Cybersecurity Suite offering provided by the Power & Water Solutions (PWS) business within Emerson Process Management.
When I saw the post originally, I checked with the team based in Pittsburgh and asked for their thoughts on the post. I connected with Roger Pan. Roger is the program manager of the Power & Water Cybersecurity Suite offering.
The blog post highlights the key elements including anti-virus/malware software, firewall/perimeter security devices, host IDS/IPS, security incident & event management, security patch management, and vulnerability scanning.
As the title of the post suggests, the objection is the perceived difficulty to achieve and maintain this security offering over time. The offering is compared with efforts by Network Associates, which did not survive over time.
Roger notes that “let’s do it all” may be overstating the case. This solution is focused around the Ovation control system. It does not attempt to be the comprehensive cyber-security offering for the entire power or water plant. As such, it’s a part of the plant’s overall security planning and execution process.
Security threats change on a daily basis. As “zero-day” vulnerabilities are discovered in the underlying operating system or commercial off-the-shelf (COTS) equipment such as network switches, routers, and firewalls, they must be thoroughly tested against the versions of software running in the Ovation system.
In an earlier post, Is Solving World Hunger Easier than Working with Plant IT Security?, I discussed the different views that IT and the plant operations staff have on cyber-security. Availability is paramount for the operations team. The objectives of the Power & Water Cybersecurity Suite are:
- Ensuring non-interruptive plant operations
- Providing non-intrusive mechanisms for distributing or collecting security data
- Integrating security measures with Ovation components
- Testing full compatibility with current and future Ovation systems
- Assuming responsibility on security products’ life cycle management
Roger agreed that every security measure might have a potential weakness that might be maliciously exploited. The best security solution is defense-in-depth. In the long run, OSC seeks to address any vulnerabilities that the Ovation system might have.
For all automation suppliers it is a challenge to deal with changes in the COTS components in their systems, and this is true for PWS. As difficult as this might be, it’s not something that would be easier for the plant to manage on its own. The point of OSC is to manage the changes in technology, test against recent versions of the process software, and help the plant manage these changes as a part of their overall security efforts.
It’s important not that OSC do it all for the customer, but do the part of the overall plant security plan to help maintain overall system availability, secure the system in depth, keep current with fixes to the latest threats, and help manage and test the changes in COTS technology over the lifecycle of the system.
Update: Welcome, readers of Gary Mintchell’s Feed Forward blog! I appreciate any perspectives you have to share.