It’s hard to talk about digital transformation without talking about cybersecurity. At CERAWeek 2019, Emerson’s Michael Lester joined a panel, Energy Infrastructure: How vulnerable to cyber attack?
The panel opened with each panelist describing what got them into cybersecurity. Mike noted that the failure of the North East power grid that led to the NERC CIP standards that are still developing today. Another example was what happened in Ukraine where the cyber attackers to over the controls of critical infrastructure at power plants.
When asked about what the most significant threats are today, a threat assessment is the place to start. This assessment must consider people, processes and technology. The people part of this assessment is the most challenging. This can be due to their diligence, lack of training, or human error. Phishing attacks make up 2/3 of the attacks according to the panel moderator.
On the subject of convergence, Mike noted that it’s closer to interoperability where there more significant protections around low trust areas as compared with high trust areas of the information architecture. The levels of security must be continually tested as well as the people who manage these systems.
When considering where the Information Technology (IT) and Operation Technology (OT) should collaborate, it’s important to play to the strengths of each organization. OT personnel understand always on 24×7 operational importance and IT understands network architectures, enterprise scaling and personnel access.
The complexity of IT, OT, the cloud and aging control systems increases the complexity. You must have a clear strategy and business purpose with how things are connected and architected to manage this complexity. And once a solution is put in place, it requires continuous re-examination to maintain the strong cybersecurity posture.
Mike spoke to the importance of partnering with key suppliers who can help with a level of pre-integration to help identify some of the key technologies and remain up-to-date with the trends. Upskilling company personnel must be practiced on an ongoing basis.
In the end, there is no easy path that you can throw technology at and set & forget. It’s much like establishing and maintaining a safety culture—it requires ongoing efforts around people, processes and technologies.