Everyone talks about securing process control systems and networks, but very few individuals or organizations offer practical advice on how to do it. One of these exceptions is the ISA Cybersecurity Conference 2014, which was held on June 9-12 at the Cobo Center in Detroit, where it was co-located with the Big M Manufacturing Convergence tradeshow.
The conference was highlighted by an expert panel, moderated by Katherine Voss, president and executive director of ODVA, and included Bruce Billedeaux, cybersecurity consultant at Maverick Technologies; Rachel Conrad, global business manager for networks and security at Rockwell Automation; Eric Cosman, manufacturing IT and consulting engineer at Dow Chemical; and Jeffrey Smith, controls architecture and I&CS security manager at American Axle. The event also included exhibits and security solutions from the Automation Federation, ISA Security Compliance Institute, International Society of Automation, Owl Computing Technologies, ODVA, NextNine, Waterfall Security and Power Fingerprinting.
"Users must secure their outbound communications, but they must also make sure their vendors and contractors are secure, too,” said Billedeaux. "Cybersecurity is as much about policy as it is about hardware.”
Cosman advised that securing industrial controls requires domain expertise in those systems, and that asset owners must understand the potential consequences of inadequate security and realize that cybersecurity is closely related to process safety. "All sides must work together on cybersecurity, establish accountability and make security part of it,” says Cosman. "Help is available in your own sectors and industries, and in your professional and trade organizations. Don’t worry that you won’t understand all about cybersecurity right away.”
Smith added that many process engineers "don’t know what they don’t know” when it comes to cybersecurity, so they have to put in place what they can, and improve as they go forward. "We need to start with the controls guys and bring them up to speed on cybersecurity because you can’t just throw stuff from IT onto the plant floor,” explained Smith. "You must decide what security you need in your application and do more, little by little, but you have to start today.”
To help address some of these concerns, Ari Schwartz, White House senior cybersecurity director, described the Obama Administration’s executive order for a cybersecurity framework in 2013. It stresses protection of critical infrastructure, including process control systems in many industries, and calls for more rapid responses to attacks, establishing trusted identities, developing a trained cybersecurity workforce and speeding up the exchange of security information between government and business while still protecting individual privacy.
"Vendor and contractor management has been a weak point because they often have a lot of access even when a facility is otherwise secure inside and out, so we’re recommending mapping to security standards across industries, and checking that vendors are complying with clients’ security requirements,” said Schwartz.
Likewise, Kevin Stine, security outreach and integration manager at the National Institute of Standards and Technologies’ (www.NIST.gov) computer security division and IT Lab, reported the executive order is directing NIST to develop a 16-part cybersecurity roadmap, which will use best practices for assessing and mitigating cybersecurity threats, and provide prioritized, flexible, repeatable, performance-based and cost-effective security measures and controls for owners and operators of critical infrastructure facilities.