Implementing a Control System Security Program Using a Familiar Plant Model

by | Apr 1, 2014 | Event

Jim Cahill

Chief Blogger, Editor

Bob Huba

Bob Huba

Emerson’s Bob Huba shared some things to think about in his Emerson Exchange Stuttgart presentation, Implementing a Control System Security Program Using a Familiar Plant Model. His abstract:

Developing a security program for your control system can be frustrating as there does not seem to be a good model of how to do this in a process facility.

This presentation will present a familiar plant program model that can be used to get you started on security and build a foundation on which to increase the maturity of your security over time.

Bob opened sharing his 2 foot rule. If you don’t like his presentation, feel free to use your 2 feet to leave. His focus was to look at security from a human centered design approach.

Standard IT security is not appropriate for control systems. An example is patch update that is automated that loads the patches and reboots when completed. This can’t be done without a plan in place to handle the loss of an operator station during the reboot process.

Bob noted that the biggest fear is the loss of view that makes an operator shutdown the process. A big part of the security problem is people doing insecure things. Examples include plugging in unfamiliar USB sticks and following insecure URL links.

As IT installs more and more complex security solutions, these can cause outages when applied to control systems, where denial of service is dangerous. Security has both technical and people issues to resolve. Like safety programs, security requires people, processes, and technology. Make HSE (health, safety & environment) become HSSE–health, safety, security & environment.

For a security program, train the people who are interfacing with the technology, from operations to maintenance, to project and process engineers. Following the safety program model makes a security program more easy to understand and be embraced by the people who interact with the control and instrumentation.

Also like a safety program, a security program should be localized the plant. It must make sense to everyone involved and not be pushed down from above. Key to implementation is that there is ownership by the people involved in interacting with the systems. IT should be informed and provide auditing to make sure what is identified in the program is being done. It’s a collaborative effort.

The security program begins with a security champion who leads the effort, trains the personnel, liaises with IT organization, and is the person responsible that the program sustains over time.

Bob suggested that the utilities area is a good spot to begin since it impacts the entire production operation. It’s where the key elements of the program can be worked about and successes built as it is expanded plant wide.

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe for Updates

Follow Us

We invite you to follow us on Facebook, LinkedIn, Twitter and YouTube to keep up to date on all the latest news, events and innovations to help you take on and solve your toughest challenges.

Want to re-purpose, reuse or translate content?

Please do, Just link back to the post and send us a quick note so we can share your work. Thanks!

Our Global Community

Emerson Exchange 365

The opinions expressed here are the personal opinions of the authors. Content published here is not read or approved by Emerson before it is posted and does not necessarily represent the views and opinions of Emerson.