Cybersecurity remains a key concern for process manufacturers. Emerson’s Bob Huba presented, Implementing a DeltaV Security Program Using a Familiar Plant Model, to kick off the Tuesday workshops here at the Emerson Exchange Americas conference.
Figuring out how to implement a security program for your control system can be frustrating as there does not seem to be a good model of how to do this in a process facility. This presentation will present a familiar plant program model that can be used to get you started on security and build a foundation on which to increase the maturity of your security over time.
Bob opened stressing the importance of the human element in cybersecurity. If you start with Google you’ll be overwhelmed by the number of results–even using a number of keywords to narrow it down to process control. Most of the information is very IT-specific and not as beneficial for those involved in cybersecurity for their plant.
Process engineers biggest fear is the loss of view that may shutdown the process. And even with all the technical solutions out there, IT systems are still getting hacked. A big part of this, is people doing insecure things like clicking URL links, popping USB sticks into PCs, etc.
There are different types of attacks but there are really only a few attack points. More than data breeches, complex IT systems cause more issues. Control systems have unique security needs that need to be addressed separately than the IT systems.
Bob noted that security equals technologies plus processes plus people. For the DeltaV distributed control system (DCS), this includes user logins, network design, firewalls, and other technologies geared around a security program. Like a safety program, a security program requires a change in attitude to prioritize security, much like plants prioritize safety.
Training and awareness materials are needed to add to existing programs, such as the safety programs. Its best to keep security local by control system rather than a corporate policy from above because of the uniqueness of components, versions, integration points, etc. Canned security programs also tend to be IT-related.
Bob posed the question, “Where does IT fit into all this?” It’s key to keep IT informed and have them be part of the team, but not leading the team due to the difference in perspectives. Availability is paramount for the operations staff. Bob recommends a control system security “champion” at each site. Someone who is the subject matter expert and stays current with the threats, technologies, impacts with the control system, etc.
Bob stressed that technical solutions are important, but they must be correctly implemented and managed over time. Without the people and processes, they are not sufficient. This is another reason for the importance of a champion with the technical background to make sure the technology is performing its intended role and not causing more harm than good.