Build Better Cyber Security

A three-step approach is key to enduring protection.

By Rick Kaun, Honeywell

1 of 3 < 1 | 2 | 3 View on one page

Cyber security has received a big boost lately. Unfortunately, it wasn't the type of boost chemical makers were hoping to see.

A 2010 attack by malware dubbed Stuxnet that targeted control systems (see: "Industry Gets Cyber-Security Reality Check,") has thrust the concept of cyber security further into the spotlight of major concerns of manufacturers in the process industries and elsewhere. It has prompted many a chemical maker to ask:

Is my plant vulnerable to attack?

What if my facility is hit with the next version of Stuxnet?

Do we have the appropriate policies in place?

What about Chemical Facility Anti-Terrorism Standards (CFATS)? Are we in compliance?

In short, if a company wasn't already scrambling to research, create and implement an effective cyber-security program, Stuxnet certainly provided the impetus. It underscored that a strong cyber-security program is a necessity for manufacturers today.

Cyber security plays a crucial role in ensuring the reliability and robustness of the networks that a plant's critical applications run on. Implementing a baseline security model across a facility — whatever the industry — increases the likelihood of safe, dependable operations and minimizes potential security incidents. So, cyber security clearly is destined to become as entrenched in the process industries as a "safety culture" has over the last few decades. Like with safety (see: "Make Safety Second Nature"), chemical makers must achieve a cultural change. This requires not just a project but an ongoing program.

The prospect of doing anything — let alone running a cyber-security program — perpetually may seem overwhelming. However, this daunting task is achievable by breaking it into three key steps: inventory, integrate and implement (Figure 1).

The first step in developing any security program — physical, cyber, or both — is assessing a plant's current measures. In terms of cyber security, this means taking inventory of assets.

In industries where cyber-security regulations already are in place, operators must provide a list of their critical cyber assets. Getting started on an inventory immediately can help chemical makers ensure they're not left scrambling. CFATS doesn't explicitly call for such a list today — but may as its cyber component evolves.

A cyber inventory provides plants with the information needed to make informed decisions about cyber-security priorities. In addition, regulatory bodies require such an inventory for judging whether a facility is in compliance or not. Finally, a comprehensive asset inventory eases end-of-life planning, upgrades and long-term management of key safety or legacy process control and other systems. So, developing such an inventory is a great place to start.

Most facilities don't know precisely what's plugged in on the plant floor; it isn't always easy to determine. Managing compliance requires a robust inventory, including:

• IT inventory (operating systems, IP addresses, user permission levels, etc.);
• operational inventory (control systems and software, etc.);

1 of 3 < 1 | 2 | 3 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments