Rockwell Automation’s Gregory Wilcox and Cisco Systems’ Paul Didier suggest these actions to get the operational process required to establish and maintain the security capability:
Identify the automation and control-system asset device types and locations within the plant-wide/site-wide network infrastructure.
Identify the potential and external vulnerabilities and threats to those assets—and assess the associated risks.
Understand application and functional requirements of automation and control-system assets, such as 24/7 operations, communication patterns, topology, required resiliency and traffic types.
Understand the associated risks of balancing the application needs and functional needs.
Understand and balance the requirements of the assets with the need to protect the availability, integrity and confidentiality of automation and control-system asset data.
