The third fundamental aspect of a successful security program is the ability to keep it up to date (and fully documented). The longer plants manage the program, the more difficult and more important this becomes. As many managers can testify, the average employee can become complacent over time. Usually the first areas to suffer are administrative or seemingly unimportant recording and tracking tasks. To combat such lapses, it's imperative to establish and regularly review workflows. Done properly, they guide personnel through each stage and proof point, embedding procedural and policy objectives into day-to-day tasks and providing some form of verification or documentation. Such workflows can play a crucial role in ensuring proper management, maximum security and getting the most value from security spending, while minimizing the "people" risk factor.
In essence, specific workflows reflect the application of corporate or regulatory policies and procedures. One simple example involves ensuring new employees are granted access to critical systems based on relevant clearances and certifications spelled out in various programs such as CFATS, the Transportation Worker Identification Credential, etc.
Let's take a closer look at the request-for-access example. By extending the framework to include training and personnel data, plants can add a workflow to manage and automate such requests.
The application could submit the user name to a process that grants user access to specific workgroups or roles within the facility. If the role and clearance required already are defined, the application now can manage — automatically and without error — whether or not to grant access.
Further, workflows can monitor the time stamps associated with various clearances, training and certifications, automatically notifying users when these are about to expire. Similarly, removing users who no longer require access (due to employment termination or retirement, for example) from all information systems becomes simple, either by providing a comprehensive report or by automatically disabling accounts. A plant also can apply automated workflows and management of information to log review, patch evaluation and deployment, general change management, etc.
To the extent possible, all policies and behaviors should have a corresponding workflow with some form of verification or documentation. This can range from a simple key sign-in/sign-out sheet to a full-fledged change-management regimen for patch evaluation or upgrades.
To properly reflect an organization's policies and procedures, workflows must be dynamic. If, for example, an application upgrade is high risk due to the systems involved, the workflow must manage additional levels of approval and consultation. A dynamic workflow should accommodate reassessment, extra information, and reassignment of tasks or reporting. Of course, it also must capture any and all additional actions taken. This is especially true for key process control and safety instrumented systems, etc., that are critical to safe and reliable plant operation.
An additional necessary aspect of workflow is the ability to tie the changes and reports back to the systems to verify the data. If a user can mark a task or change complete without having done it and this isn't caught, the omission may go unnoticed. So, a loop-back mechanism, whether electronic or manual, is an important element of any workflow tool.
Implementation using electronic tools essentially involves embedding specific reporting and tasks into a step-by-step workflow that then verifies the particulars against the end-system data, effectively enforcing the policy. In turn, this ensures consistency of reporting, content and workflow across different people, shifts and locations within the organization. As an added bonus, the plant gains an effective change-management tool. If the system is hooked into existing corporate communication tools like instant messaging or Active Directory (for access review, revocation, control, etc.), the processor has the building blocks of a dynamic security-management program.
CHANGING THE CULTURE
The three-step process of creating/managing cyber inventories, integrating data sources and implementing workflows essentially forms a blueprint for establishing a strong cyber-security program.
But one crucial element — corporate culture — ultimately will determine whether this program is maintained effectively. A successful security program depends upon ongoing buy-in by people at all levels in an organization.
In light of the unrelenting move toward increased regulation, putting off implementing cyber security really is just postponing the inevitable. And delay can have serious repercussions for the success and cost of a security program.
In the chemical industry, it's fair to say that physical security now matches worker safety in priority. In the U.S., CFATS certainly has spurred increased emphasis on effective physical security measures. Cyber security, though, is a different story. Often, it falls below other priorities such as alarm management, process improvement and environmental controls.
Processors must think beyond the mechanics of compliance and realize that cyber security really is about ensuring safe, reliable and expected system behavior.
And chemical makers, like manufacturers in all industries, must view cyber security exactly the way they do safety — as a permanent program, not just as technologies that are part of a finite project.
RICK KAUN is Edmonton, Alta.-based manager of Honeywell's Industrial Cyber Security Division. Email him at Rick.Kaun@Honeywell.com.