Dow leads by inclusion

Dec. 27, 2017
Dow has learned that cybersecurity—like safety again—is all about managing risk, which can't be entirely eliminated, but must be understood, prioritized and reduced.

"We use many technologies to optimize and hit operating numbers—and one of them is cybersecurity," says Dan Rozinski, technology fellow for manufacturing and engineering at Dow Chemical Co., who spoke at ARC Industry Forum 2017 in Orlando. "The question is how to get a security program started and how to keep it going? It's also crucial to understand that cybersecurity isn't a one-time project. It's a continuous journey—like process safety—that we all go on together, trying to improve every step of the way. It needs leadership, care and feeding at each step. and it has to become part of an organization's culture. That culture will change when leaders make it important."

Rozinski reports that Dow has learned that cybersecurity—like safety again—is all about managing risk, which can't be entirely eliminated, but must be understood, prioritized and reduced. "Leadership on cybersecurity isn't coming up with a formula, but is instead determining where we want to move to," he says. "Different process applications and organizations have different tolerance levels, but we know we can't do cybersecurity on our own. This is why we reach out and get everyone involved, including operations, engineering, business, IT, legal, safety and purchasing. Cybersecurity 'takes a village,' and more than one village because other industries are involved, and we have different responsibilities to the government and the public to maintain security, too.

"We've been reaching out on process safety journey for 30 years, and if there's a problem, the whole company rallies around it. As a result, process safety is in our heads all the time, and now we need to do the same with cybersecurity. Just as we can't simply make a product, but must do it safely, we're now saying that cybersecurity must play into our focus on operations and throughput. A security breach can't be allowed that impede a batch."

Rozinski explains that Dow is presently refreshing its cybersecurity program, and its key focus is protecting from the "top to the shop." "We're aware of the risks, but we've agreed on where we want to be," he says. "We also know to beware that security is handled differently in separate divisions, so we need security that permeates our whole organization. Operators need to know not to plug in unauthorized USB sticks, but we can't track everyone's actions, so everyone needs to be deputized to do security. Many organizations are also available to assess your cybersecurity progress, provide real-time and real-world feedback, and conduct white hat security testing to make sure the applications don't trip."

Visit the full story here:

You can be a cybersecurity badass - part 1 and part 2

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.