Cybersecurity has a persistent image problem. While firewalls, anti-virus and other technical measures are part of the equation, production assets can't be secured from cyber attack with technology alone. Rather, an ongoing organizational commitment to developing a culture of security is what's needed to head off cyber intrusions – and, when necessary, detect, contain and recover from them.
Further complicating the landscape are inadequate definitions and the inability to measure the effectiveness of security measures. "Part of the problem is that if cybersecurity is done right, nothing happens," said Honeywell Process Solutions' Rick Kaun, kicking off a panel discussion of "Cybersecurity as Program, not Technology Deployment" at the November 2012 Honeywell Users Group EMEA meeting in Istanbul.
Kaun was joined by process industry users from across the region, including Dimitris Moutzouris-Lygeros of Greece's Motor Oil Hellas, Romano Karlovic of Croatia's INA Rijeka, Mohamed Amine Kaddour Brahim of Algeria's Sonatrach, and Karl Huthmacher of Shell in Germany. The panel was moderated by Graeme Bell of South Africa's Technews.
Leverage IT Skills
An early discussion point among the panelists was just who is responsibility for securing production assets from cyber attacks. Most agreed that control systems and IT groups share a joint responsibility, but the operational groups who understand the relative importance of process availability and safety must take the lead, while leveraging the skills of IT personnel.
"It needs to be the joint responsibility of control engineers and IT, said Sonatrach's Brahim. "They need to work together to protect the IT network and the production assets."
"But the operations and production people must bear ultimate responsibility," added Dimitris Moutzouris-Lygeros of Motor Oil Hellas "We are familiar with safety; cybersecurity is the same way."
Honeywell's Rick Kaun acknowledged that a combination of skill sets is needed, and recommended that users who have process and operational expertise leverage the skill-sets of their company's IT department instead of duplicating them.
While much of industry's cybersecurity effort today is focused on identifying system vulnerabilities and fixing them, they can't continue to treat cybersecurity as a one-time deployment.
In fact, Honeywell Process Solutions is currently growing its cybersecurity services business not only by helping users address the "low hanging fruit" of current system vulnerabilities, but by helping them keep their cybersecurity measures up to date. "It's a continuous cycle of assessment, remediation, management and assurance—then it all starts over again,' Kaun said.
And while end users can continue to leverage the capabilities of control system suppliers such as Honeywell to identify and address cyber vulnerabilities, they need to develop a security of culture in all that they do.
"Companies need policies that affirm secure practices, and the need to have repercussions," Kaun said. These policies and practices should spell out, for example, how mobile devices, jump drives and USB ports are to be used. At Shell, all USB devices are scanned with a standalone system to verify their security, Huthmacher said. "USB sticks get a bad rap," Kaun added, "but rather than just disabling all the USB ports in your facility, you need to understand what the business needs are, and develop processes to do what you need to do as securely as possible."
Physical security, too, is increasingly intertwined with companies' cybersecurity thinking. "What if an employee opens a cabinet and switches off a firewall's power?" asked Shell's Huthmacher. "There's certainly a need for more communications between physical and cybersecurity functions," agreed Kaun. "Soon, there even may be regulations that require real-time response if there's a physical intrusion."
At its most essential, cybersecurity is the end result of "people, business processes and technology together working to make sure your process works in the way you expect it to," said Kaun. "Security needs to be a culture. It's not enough to think about it once in a while. It needs to be baked into everything you do."
Added Shell's Karl Huthmacher: "It's important that every one thinks secure, just like they think safe."