March/April 2011

Executive Corner

Defense in depth: It's more than just the technology

By Jason Urso

Quick … name the most common cybersecurity threat in today's industrial manufacturing plant.

Open data ports that could be infected by a corrupt USB device? A lack of a security policy? Stuxnet? Or the next iteration of Stuxnet?

All of these could be viable answers. But perhaps the greatest cybersecurity threat facing the modern-day manufacturer has nothing to do with things like open nodes, control system architecture, a failure to segregate a process network from a business LAN, or even the latest worm that has penetrated process control networks, as well as mass media headlines.

The biggest cybersecurity vulnerability could very well be a belief-the belief that a cybersecurity system, even a good one, is guaranteed to stop every threat, every time. This is simply not true. Due to ever-changing cybersecurity threats, a cybersecurity program must be designed to be regularly updated and periodically reviewed. In many ways, this approach for cybersecurity is similar to what we do in industrial plants when we define and design our safety systems and culture. Like safety, we do not want failures in cybersecurity to impact our manufacturing process, our people, the environment, or our corporate image.

There are three keys to a successful cybersecurity program for any industrial manufacturing plant: people, process, and technology. We tend to rely on technology to keep us safe, but the other two aspects are just as important.

One of the first steps in setting up a good cybersecurity program is to have senior management support for the program and a commitment that all personnel be trained for the roles that they play in maintaining the cybersecurity of the industrial control system. In addition to processes for deploying and refining technological measures, it is just as critical for plants to develop effective processes and guidelines for behaviors affecting plant security (such as use of USB memory sticks) and disaster recovery in the event of a successful attack (including incident handling, team notification, escalation and containment procedures, and interim measures for resuming business and post-incident analysis).

Finally, a cybersecurity program can only be effective if all employees receive appropriate training and embrace the purpose and value. It is therefore critical to provide employees awareness training and education, with extra care to keep in constant communication regarding corporate cybersecurity programs, updates, guidelines, and new threats. This will go a long way to reducing incidents that can result from simply a lack of general cyber awareness.

When it comes to guarding against and preventing cybersecurity incidents, a defense-in-depth program is certainly the most-recommended and effective method. A good cybersecurity system will have multiple layers of defense providing protection for the industrial control system. These layers of defense need to be redundant, so the industrial process will be able to continue to operate if one layer fails-even if it has to operate at a lower level. 

Staying current with new cyber technology and related services will add to your defense-in-depth portfolio and likely reduce (in time) much of the administrative effort required to manage your assets. That includes keeping current with existing technology and assuring your cybersecurity processes and procedures are documented and followed. Awareness is a natural extension to your defense-in-depth philosophy and the technology that enforces it. The best way to stay current with new technology is to perform regular, periodic cybersecurity assessment of your systems, processes, and policies. These reviews will identify areas for improvement, and implementation of those improvements is mandatory in order to keep up with the newest threats.

Senior management support is an absolute necessity for any cybersecurity program, so the emphasis on cybersecurity can be maintained throughout the entire organization all the way from the operators of the plant to the boardroom.

ABOUT THE AUTHOR

Jason Urso has been with Honeywell Process Solutions (HPS) since 1991, holding several engineering and marketing roles during that time. Urso is currently the vice president and chief technology officer for HPS and is responsible for design and development of products for industrial process control industries such as refining, chemicals, upstream oil and gas, pulp and paper, power generation, mining, and pharmaceuticals.