Security by default
That was the consensus during this morning’s vendor panel discussion entitled, “State of Building Security In: Where Are We in That Process?” at the Process Control Systems Industry Conference in San Diego.
The panelists agreed there isn’t one system out there a manufacturer uses that doesn’t include multiple vendors. So, the user needs to know what they want to do with their approach to security.
“It’s a collaborative effort,” said Ernest Rakaczky, principal security consultant, enterprise architecture and integration with Invensys Process Systems. “We are not the enemy. We are here; our vested interest is for users to run efficiently without incident.”
“We need a full holistic view of the entire system even if we don’t own all the parts,” said Paul Skare, director of security and deployment at Siemens. “Vendors need to encourage asset owners feedback rather than an analytical perspective from the back office.”
“We need users to help us bridge the gaps we don’t know about your systems,” said Robert McComber, product security specialist, project manager-INL testing at Telvent. “We can work together to build something.”
As the infrastructure evolves, how security works on a system will change from its current model right now. Instead of patching and adding on security measures, all vendors agreed down the road security will be the default on the system.
“Security should not be a differentiator, it should be a requirement,” said Kevin Staggs, engineering fellow at Honeywell. “Security just has to be there.”
“Our systems can be configured to be secure, but they should be secure by default,” said Dr. Markus Braendle, ABB corporate research. “The challenge for end users is after the system is installed to keep these systems secure.”