In this Q&A feature, author Steve Mustard, an industrial automation consultant with extensive technical and management experience across multiple sectors, explores the focus, importance, and differentiating qualities of Industrial Cybersecurity: Case Studies and Best Practices.
Please tell us about your professional background.
I have been working in industrial automation for more than 30 years. My degree was in control systems engineering. After graduation, I worked in the space and defense sector, developing real-time embedded systems for surveillance and reconnaissance applications. I gained experience in a wide range of interesting projects such as sonar tracking, image and speech processing, fissile materials manufacturing, and internal security and counterinsurgency. Due to my background in real-time systems, I was asked to lead a product center focused on supervisory control and data acquisition (SCADA) for the water industry. I worked with water companies in the UK, Ireland, and Australia, supporting and developing hardware and software.
My first involvement in industrial control systems cybersecurity came through a client in Australia who had been asked by their government to address security risks in response to the infamous Maroochydore incident of 2000, when a former contractor used their access to pump raw sewage into the environment over a period of months before they were caught.
I eventually led a venture-capital-backed management buyout of the product center and established a UK company called Metasphere. I ran that company for a few years, then my family and I decided we wanted to change our lifestyle. I applied to the US government for an entrepreneur visa which I was granted. I set up a new business in the US called National Automation. The business provides products, services, and consulting related to industrial control system users. I continue to represent Metasphere and their SCADA solutions, as well as Straton Automation, a French company that provides IEC 61131-3-compliant software PLC solutions.
My main business activity is in industrial control systems security consulting. I support asset owners in developing cybersecurity management systems, performing security risk assessments, and providing employee awareness training. For the past five years, I’ve been working as the cybersecurity subject matter expert on a project for an oil and gas super major that is developing a new production platform for deployment in the Gulf of Mexico.
What inspired you to write this book?
Having spent close to 20 years involved in industrial control systems cybersecurity, I have gained a lot of practical experience that I wanted to share. I feel that despite awareness of the issue and the significant investment in many sectors, we have collectively failed to address the root causes of cybersecurity risk. We are still at the stage where asset owners are exposed to intolerable levels of risk, and I want to help bring some attention to the areas I think they should focus on.
Who is this book written for? Do you consider it to contain basic information, or is it more advanced?
This book is for anyone involved in industrial control systems cybersecurity including asset owners, vendors, system integrators, and consultants. When I refer to industrial control systems, I mean any system used to monitor or control any physical equipment. That can include building control systems, such as heating, ventilation, and air conditioning systems; water treatment plant SCADA systems; oil and gas distributed control systems (DCSs); or safety instrumented systems (SISs).
I have written a book that can appeal to everyone, no matter their technical knowledge. While the book contains technical information, I have avoided excessive jargon and terminology that can often be hard to follow in this subject matter.
This is not a book for those who are looking for guidance on specific technologies or solutions, nor does it offer a quick fix to address cybersecurity. The book focuses on how to understand risk, how to apply existing safety management methodologies, and how to approach the secure design of industrial control systems.
What is unique about this book? What separates your book from the competition?
There are many books on cybersecurity, but very few focus on people and processes which is where most cybersecurity vulnerabilities still exist today.
My book focuses on the underlying issues in industrial control system cybersecurity. I have incorporated my collective experience in this subject from the past almost 20 years—experience that I have gained working in industrial facilities around the world. The guidance in my book is pragmatic, based on what I have seen work and fail.
There is no single answer to addressing cybersecurity risks, but I hope my book will help people focus on the appropriate issues and address them in practical ways.
What are the key takeaways from your book? Is there a problem that the book can help readers solve?
Cybersecurity risk is a constantly moving target, but I believe that we are still not adequately addressing our most basic vulnerabilities. If we are to collectively address the risks faced in our critical infrastructure, we need to change our approach to addressing industrial control system cybersecurity risks.
We have long recognized that industrial control system cybersecurity is different, but I believe we have not adequately explained these differences. In my book, I attempt to explain the differences and then discuss how to manage cybersecurity more effectively with these differences in mind.
About Steve Mustard
Steve Mustard is an independent automation consultant and subject-matter expert of the International Society of Automation (ISA) and its umbrella association, the Automation Federation. He also is an ISA Executive Board member.
Backed by nearly 30 years of software development experience, Mustard specializes in: the development and management of real-time embedded equipment and automation systems; and the integration of real-time processing, decision-support and other disparate systems to improve business processes. He serves as president of National Automation, Inc.
Mustard is a recognized authority on industrial cybersecurity, having developed and delivered cybersecurity management systems, procedures, training and guidance to multiple critical infrastructure organizations. He serves as the Chair of the Automation Federation's Cybersecurity Committee.
Mustard is a licensed Professional Engineer, UK registered Chartered Engineer, a European registered Eur Ing, an ISA Certified Automation Professional® (CAP®) and a certified Global Industrial Cybersecurity Professional (GICSP). He also is a Fellow in the Institution of Engineering and Technology (IET) and a Senior Member of ISA.