I've asked four experts to advise us on acquiring that vital knowledge. Bryan Singer is Security Principal Consultant at Kenexis. He is also the co-chairman of ISA S99, the ISA’s manufacturing and control systems security committee.
Eric Byres, P Eng., is the CTO of Byres Security and senior partner at Byres Research. He is a member of the ISA SP-99 Security Technologies Working Group and is the Canadian representative for IEC TC65/WG13, a group developing an international framework for securing process facilities from cyberattack
Ian Verhappen is the director of industrial networking technologies for MTL Instrument Group and past chairman of the Fieldbus Foundation’s Global End User Advisory Council.
Joe Weiss, PE, is the managing partner at Applied Control Solutions and the author of the “Unfettered” blog on ControlGlobal.com. He has testified on cybersecurity before the U.S. House Committee on Homeland Security.
Singer leads off. “It takes years to become an expert, but conferences, web seminars and technical training sessions provide some background and general situational awareness. Basic courses in computer networking give more knowledge. One can also leverage the work of standards bodies such as ISA S99, IEC 65C and NIST 800-53 for industrial control systems.
“Outside experts familiar with cybersecurity in both process control and IT can help. While day-to-day security can certainly be handled in-house, working with experts can help one get down the right path quickly.”
Byres says, “Some knowledge of network technology is critical before heading into the cybersecurity arena. ISA’s FG21 and TS05/TS10 courses, and thorough hands-on textbooks such as Computer Networks: Internet Protocols in Action by Jeanna Matthew, are helpful here. Attending basic Network+, Cisco and SANS Institute courses is also a good idea.
“Once you know the basics, you can get into the cybersecurity side. Courses from ISA, such as IC32, are good, as are the US-CERT Control System Security Program courses.
“Conferences like SANS SCADA and ISA Expo are good for learning. So are web sites like the US-CERT Control System Security Program, Digital Bond and the publications section of Byres Security. Finally, don’t forget the amazingly readable ANSI/ISA S99 series of security standards.”
Our third expert, Ian Verhappen, says. “The lowest cost way to learn about industrial cybersecurity is to read material available on good sites such as IAONA (www.iaona-eu.com), NERC (www.nerc.org) and the Department of Homeland Security (www.dhs.gov). The Process Control Systems Forum (www.pcsforum.org), the British Columbia Institute of Technology ( www.bcit.ca), and the Chemical Industry Data Exchange Chemical Sector Cybersecurity Program are also good.
“The best way to learn is often through doing. Practice in a small laboratory setting or have a reputable consultant come in and do an audit of your system. This audit can be as simple or as complex as you think you need. Reviewing the resulting report will certainly teach you a lot about Industrial Ethernet security.
“Take a look at what your IT folks are doing and follow them around for a while to learn the basics. This is certainly a low-cost and often local training option.”
Weiss concludes, “Business IT cybersecurity training is offered by many organizations, and several universities offer masters degrees in information assurance or cybersecurity. However, very few places offer useful training on control system cybersecurity, and no university programs are dedicated to control system cybersecurity. I recommend organizations known and knowledgeable in control systems such as Idaho National Laboratory, Pacific Northwest National Laboratory and ISA S99.”
