Whew!

June 15, 2005
We just got the second edition of the show daily to the email forwarder. I'm very pleased. This one is longer...has four articles, two by Keith Larson, and two by me. All of it, frankly, pretty good stuff. I've been dividing my time working on CONTROL, the enews edition, and attending the sessions. Missed a great session this morning by Judy Moser of Alcoa on Security-- Cyber Implementations. I am looking forward to reading the paper on the CD when I get it. But I didn't miss two very importa...
We just got the second edition of the show daily to the email forwarder. I'm very pleased. This one is longer...has four articles, two by Keith Larson, and two by me. All of it, frankly, pretty good stuff. I've been dividing my time working on CONTROL, the enews edition, and attending the sessions. Missed a great session this morning by Judy Moser of Alcoa on Security-- Cyber Implementations. I am looking forward to reading the paper on the CD when I get it. But I didn't miss two very important sessions this morning. First, Bill Lessig, plant manager of Honeywell's Geismar, La., facility (what us old lags knew as Allied Comical back in the day) gave a detailed report on the state of the art integrated security system they just finished installing at Geismar with the help of a million dollar grant from the U.S. Government. The point of Lessig's talk was that the integration of process control, building automation, and security systems (my, my! Guess who makes all three, and your first two guesses don't count, okay?) was the driver for his project. "It may not seem like it, but it is an extremely powerful tool," Lessig stated. Integration is the key, he noted, offering: -risk reduction -better preparedness -proactive response -lower TCO (total cost of ownership, for you folks who have been playing Rip Van Winkle for the past few years) because of single vendor -easier training -cost savings due to the ability to share data Along with the process control system, Lessig's team integrated every security concern, from radar detection of approach from the Mississippi, to visitor management with a highly automated solution called "Lobbyworks." Lessig made the telling point that one of the most important pieces of fallout from their project was Automatic Mustering in case of emergency, and automatic locating and tracking for personnel, vehicles and hazardous materials using GPS. When you think of the fact that BP Amoco couldn't even determine how many people had gone missing after the Texas City accident in March for several days, having the ability to know who everybody is and where they all are is more than a "kinda nice" feature. Once again (this seems to be becoming a Honeywell security trademark) Lessig's team settled on "defense in depth" with layered security defenses and tiered access. "Some of our people were not happy with the fact that there were parts of the plant where I wouldn't let them go anymore, and we all had to do some growing," Lessig deadpanned. Then Lessig joined some security luminaries for a panel discussion. The luminaries included Keith Stouffer, from NIST, who is the godfather of most of the government's SCADA and process automation security initiatives, Bharesh Patel from Genzyme, the ubiquitous Kevin Staggs, from Honeywell, whose presence enlivens any debate, Scott Roe, from Corporate Security Solutions, a well known security consultant, and a guy from Alcoa whose name I unfortunately didn't get. He identified himself with a little sign that said "Evil IT" which he held up, and then placed in front of the guy sitting next to him. That was the last participant in the panel, Ron Sielinski from Microsoft. Stouffer began by explaining the three major automation security initiatives, PCSRF, ISA's SP99 and PCSF. PCSRF is NIST's process control security forum, going on now since 2001, SP99 is the ANSI standard that has grown out of PCSRF's work, and PCSF is the latest entrant, the Department of Homeland Security's forum, at www.pcsforum.org. Lessig took the floor again. "It is important to incorporate security into the systems you already have. At my site, my safety leader is also my security leader." Scott Roe chimed in, "People are starting to think holistically about security. Otherwise you have the dangers of always applying bandaids." Mr. "Evil IT" from Alcoa said that he felt it was a matter of ownership and accountability. He made an impassioned appeal for plant floor IT and enterprise IT to work together, "to build a strong house." Sielinski, from Microsoft, as was predictable, pointed to the legacy issue as the most important security challenge. "The Windows platform suffers from ubiquity," he noted. It is a very complex problem with technical and physical issues. "Don't post your password on a sticky note on your terminal," Sielinski said. "Security must be everyone's responsibility," he concluded. Patel from Genzyme pointed out that, "it comes down to process. How rapidly can you deploy changes and updates? And how do you change your corporate culture to incorporate security concerns in everybody's thought processes?" Staggs chimed in. "The most compelling issue," he averred, "is awareness." Ron Sielinski made an interesting and thought-provoking point. He begged for government regulators (I suppose personified by Keith Stouffer) to not make lots of regulations for IT security. He pointed to the unintended consequences of 21 CFR 11, where now regulated facilities are afraid to even patch their software for fear they might have to re-validate their systems. Bharesh Patel agreed. "Sometimes the regulations are so vague that there are multiple solutions with equal validity. We hesitate to make changes because it takes between five and six months to re-validate our systems, on average." The first question for the panel was, predictably, about wireless security. Sielinski noted that at the Microsoft corporate campus wireless is everywhere, and they have what they consider a remarkably secure network. Wireless can be done securely. Patel agreed, saying that it is entirely dependent on your implementation. "The problem," he said, "is the way it is sold in the market. People just do it, without thinking." Kevin Staggs gave a very short report on the WINA/SP100 effort, now in what he called "voice of the customer" mode. "Watch this space," he cracked. Another question from the audience focused on the "people and asset locator" portion of the Honeywell Geismar implementation. While begging off the "build the watch" technical explanation, Lessig asserted, "It works, by the way!" There were two excellent questions to end the forum. The first of them was, "What proportion of budget should we be investing in process security?" Mr. "Evil IT" from Alcoa bluntly answered it. "We have as many process servers," he said, "as we do IT servers. I guess the security costs for both are similar." Do the math. The last question was directed to Ron Sielinski. "Has Microsoft ever considered designing a 'Windows-like' custom platform for process control that was more secure than Windows?" "Yes," Ron said, "but when we got finished with specifying it, it looked just like Windows. The key is to implement the security that already is there correctly." Sielinski noted that OMAC's Microsoft User Group is deeply into a project they call "MUG/Secure" which is focused on how to take the retail Windows and implement it most securely. Kevin Staggs agreed. "Again it is about awareness. Not every service needed for automation is documented and known at the plant level, and sometimes you realize you have to patch something you didn't even know you were using."