One wonders just how much control system cyber security has made its way into the culture of designing and implementing large facilities that utilize industrial control systems. The May 2015 issue of Chemical Engineering had an article “Managing Large Chemical Plant Start-ups”. The banner states: “prudent planning and scheduling during a project’s front end can lead to more expedient commissioning and start-up activities”. The word “cyber” was never used and security was discussed from the perspective of physical security. A Gantt chart was provided to identify typical major pre-commissioning activities. Security, much less cyber, was not identified in the chart. There were two bullets that should have addressed cyber:
- Identify and install the information technology (IT) systems that will be used for pre-commissioning
- Identify which parts of the process control system (if any) are needed prior to the entire system being turned over for construction.
The concept of embedding cyber security as an integral part of control system design and installation was missing.
What does it take to change culture?