How do you follow that act?

Following Byres was Ioannis Kioufis, Motor Oil Hellas. He showed his site and his security perspective from the point of view that, "I am not an IT guy." Security Awareness Security Commitment Security Action Motor Oil has not had an incident up to now, but we have to be, and we are, concerned because we know the danger. Knowing that we have proceed to benchmark the system, and hired Honeywell to do that. These things, Awareness, Commitment, Action are equal to Maintaining Business Continuity. Why does MOH connect the PCN to the business LAN? We have data that the enterprise needs. We used to do this manually. Now we do it automatically, with DCS, data historian and asset management. Kioufis described his security architecture, which I will not repeat here...other than to say that it is a four level system, from process control to the business LAN. MOH also uses a defense in depth strategy from hardware physical lockdown to application defenses to domain defenses. We do not allow email, instant messagers, and we do not allow MS Office Suite. We use Honeywell approved software only on Honeywell Process nodes. We did a security assessment with Honeywell. Again, I won't list all the assessment scope and best practices here. "We decided to do a vulnerability test. I know that this is an area where we have a fight between IT and process control," Ioannis said, "but it is worth it." "I am not going to share with you the results, for security reasons." Laughter ensued. "Security is a journey, not a destination," Ioannis says. You must build in preventive maintenance, "and try to travel the journey as relaxed as you can." You must have continuation maintenance on the security policies and disaster recovery plans. "There is no way we can ever say we have done," he said. "Now we are looking at remote connections and control." MOH is looking at remote connectivity, disaster recovery enhancements and incident response. Ioannis asked Honeywell to speed up software testing and certification, and to put together a situation alert system for customers like MOH. Security strategy is like an onion, with many layers. The core of business is the control system and SIS and these are what we must protect. Ioannis retold Odysseus' tale from the Odyssey...even when you get home, you still have to fight the suitors. The struggle never ends. The end purpose is to keep the business continuity, make profit, and keep our plant and people safe.