"We use many technologies to optimize and hit operating numbers—and one of them is cybersecurity," says Dan Rozinski, technology fellow for manufacturing and engineering at Dow Chemical Co., who spoke at ARC Industry Forum 2017 in Orlando. "The question is how to get a security program started and how to keep it going? It's also crucial to understand that cybersecurity isn't a one-time project. It's a continuous journey—like process safety—that we all go on together, trying to improve every step of the way. It needs leadership, care and feeding at each step. and it has to become part of an organization's culture. That culture will change when leaders make it important."
Rozinski reports that Dow has learned that cybersecurity—like safety again—is all about managing risk, which can't be entirely eliminated, but must be understood, prioritized and reduced. "Leadership on cybersecurity isn't coming up with a formula, but is instead determining where we want to move to," he says. "Different process applications and organizations have different tolerance levels, but we know we can't do cybersecurity on our own. This is why we reach out and get everyone involved, including operations, engineering, business, IT, legal, safety and purchasing. Cybersecurity 'takes a village,' and more than one village because other industries are involved, and we have different responsibilities to the government and the public to maintain security, too.
"We've been reaching out on process safety journey for 30 years, and if there's a problem, the whole company rallies around it. As a result, process safety is in our heads all the time, and now we need to do the same with cybersecurity. Just as we can't simply make a product, but must do it safely, we're now saying that cybersecurity must play into our focus on operations and throughput. A security breach can't be allowed that impede a batch."
Rozinski explains that Dow is presently refreshing its cybersecurity program, and its key focus is protecting from the "top to the shop." "We're aware of the risks, but we've agreed on where we want to be," he says. "We also know to beware that security is handled differently in separate divisions, so we need security that permeates our whole organization. Operators need to know not to plug in unauthorized USB sticks, but we can't track everyone's actions, so everyone needs to be deputized to do security. Many organizations are also available to assess your cybersecurity progress, provide real-time and real-world feedback, and conduct white hat security testing to make sure the applications don't trip."
Visit the full story here: