Automation World’s 2012 Automation Conference (www.theautomationconference.com) featured industrial control system (ICS) cyber security specialist Joel Langill offering detailed insights on control system cyber security. Here are other observations by industry.
Most security experts agree that the large, tier-one companies in all industries have security well in place, as do those companies with high regulatory pressures, such as chemicals, oil & gas and utilities. “Oil & gas has done good job of self regulating by working with the Project Logic Initiative, a [U.S. Department of Homeland Security] funded initiative,” says Brian Ahern, president and CEO, Industrial Defender (www.industrialdefender.com) (a supplier of industrial security systems based in Foxborough, Mass.). “In this initiative, energy sector players come together to define standards for automation system security. As a result of the high level of involvement in this program, government is giving the industry players a lot of leeway to drive security without regulatory involvement.”
Ahern also points to the chemical industries’ CFAT (chemicals facility anti-terrorism) standard, which is modeled after NERC CIP. “It’s not a regulation, just a standard,” says Ahern, “but the industry is starting to audit to the standard. It could become regulatory if non-conformance becomes an issue.”
Discrete manufacturers are in a much earlier stage of the process of implementing security, according to Rick Dries, director of systems and application engineering support, Siemens Industry (www.usa.siemens.com/industry), Alpharetta, Ga. “Most process industries are considered critical infrastructure, that’s why they’re further along. In addition, due to the nature of their operations, process facilities have fewer opportunities for downtime to fix things. Control systems are simply more integrated throughout a process operation” and that has made security a more upfront issue for the process industries in general.
“Mid-size and smaller companies overall are struggling with the cyber security issue,” says Eric Byres, chief technology officer and vice president of engineering at Byres Security (www.tofinosecurity.com). For example, look at the water industry, which is made up of a lot of little utilities with tons of problems facing them. The engineers in these facilities have several jobs. I’ve even seen some big water utilities with no security awareness.”
Byres adds that food manufacturers are also just now waking up to realities of dealing effectively with cyber-security issues.
“General manufacturing is still somewhat behind the curve when it comes to control system security,” says Langill, ICS cyber-security specialist at SCADAhacker.com (scadahacker.com) (Appleton, Wis.), “primarily due to a misunderstanding of what the real threats and consequences are to their operations. Unfortunately, many believe that a cyber attack needs to come from a terrorist organization trying to cause mass destruction. In industrial settings, the real threat more often comes from ‘unintentional’ or ‘accidental’ infection of a control system through an unknowing insider—maybe even the lead automation engineer.”
>> Visit The Automation Conference web site (bit.ly/tac2012news) for additional insights and information from the conference sessions itself.
David Greenfield, firstname.lastname@example.org, is Automation World’s Media and Events Director.