Douglas Clifton, global director of the critical infrastructure and security practice for Invensys, says, “Cyber security is like life insurance. You don’t have to buy it, but if you need it, your family is very glad to have it. You don’t appreciate it unless something catastrophic happens.”
Clifton said that Invensys has been consulting with its customers on the issues of cyber security since 2001, and now has more than 20 customer-facing cyber security specialists in North America. Clifton came to Invensys in 2006 to form the Invensys cyber security team after having run the cyber security consulting business of Nortel Networks. He’s seen how both threats and attitudes have changed over the years, and he appreciates that consciousness is being raised.
In addressing these changing industry attitudes, Invensys sees a clear purpose for its cyber security consulting services. “A lot of people in industry use traditional IT methodologies to protect control systems. While IT security sort of lines up, it’s not an exact fit,” said Clifton. “We’re different from an IT consulting organization because we understand industrial needs. We can fill in the gap between operational technology and information technology.”
There’s also a gap between “what the machine builder puts in and what end users need,” Clifton says. “We help [both groups] identify those gaps and figure out how to fill them.”
Clifton added that a “large percentage of our time has been devoted to clients with regulatory requirements, such as the power industry and their efforts to be compliant with the NERC [National Energy Regulatory Commission] standards. But over the last 18 months or so, customers in non-regulated industries have become very interested finding out what they can do to keep away from vulnerabilities.”
To address growing industry interest in cyber security, Invensys has recently introduced formal cyber security assessment services to help customers understand the risks that might impact the safety and reliability of their operations. Performed on site, the control system assessment provides a baseline of the user’s current security position, and it can be used as the starting point to develop a strategy. The service includes the following elements:
• Site and system assessment. The results of the assessment are provided in a conclusive report highlighting critical assets, vulnerabilities and risks.
• Compliance assessment. Invensys addresses compliance status by reviewing operations and processes against required corporate compliance standards.
• Establishing a security baseline. This allows customers to gauge progress against current status and operating models for security.
On the issue of compliance, Michael Martinez, a former ISO auditor and current Invensys cyber security consultant, hosted a session at the conference where he walked attendees through the compliance aspects of cyber security.
“It used to be, if you had USB ports on plant floor systems, the best practice to secure them was to epoxy them. Now there are methods through software to disable them,” Clifton said. Best-practices compliance issues addressed in Martinez’s session also include protecting against vulnerabilities presented through the use of Web services and SQL databases.
Other conference sessions on cyber security include: “Cyber Security in the New World,” which describes how Invensys’ own R&D efforts incorporate security at all levels, and “General session 05–GISCP Certification,” which is a new certification to help control people understand the language of cyber security.