By Gregory Hale
Security experts need to stay on top of leading indicators and the latest technologies to keep ahead of the increasing amount of sophisticated attacks hitting manufacturer’s systems, but at the same time they need to understand a vast majority of end users are just starting to ramp up their understanding of what to do.
End users came to a session entitled, “The State of Cybersecurity in Operational Technology” last week during the ABB Customer World in Houston, Texas, wanting to learn some of the basics in security.
“We are starting a program where first you have to assemble a team,” said Torey Smith, process control administrator at Hemlock Semiconductor. “That small team has to come up with a plan.”
As it appeared with participants in the audience, users jumping into a security program can often end up paralyzed because security is such an enormous task. Instead, they need to learn they can take it on one step at a time and not all at once.
“You have to get out of the deer in the headlight approach,” said Dr. Ragnar Schierholz, head of cyber security industrial automation division at ABB. “DHS has a cybersecurity maturity model that works. We propose a staged approach to get to the first step in security.”
Larry O’Brien, vice president overseeing cybersecurity and smart cities at industry research firm, ARC Advisory Group agreed with Schierholz, but also added security ends up being an issue with people understanding what they have to do.
“Start simple. Standards are good, but they are not good for starting. First you need to build awareness in the company with basic things like anti-phishing awareness.”
He then went on to say a company can do something like a phishing exercise where the person learns why they should not click on an attachment on an email from an unknown sender. If they continually to fall for the ploy, then maybe they can go to human resources or they can take a class to learn best practices.
“If you can show them the risk they are exposing the company to, that can help change the mentality,” Schierholz said.
In addition to talking about starting up with security and not be consumed with the enormity of the subject, panel members also talked about the convergence of IT and OT.
“We used to have two teams, now we are becoming one team,” Smith said.
O’Brien responded to that by saying, “You are ahead of the curve. It is a big deal. No matter where you go, convergence is happening, and it is accelerating.”
That acceleration started, O’Brien said with IT commercial technologies seeing action on the plant floor instead of proprietary technologies. Where once IT and OT did not get along very well, today they often have to work side by side.
“Cybersecurity and commercial technologies pushed convergence,” O’Brien said. “Now, both sides are learning to communicate.”
“There is a huge disconnect,” said Randy Howard, cybersecurity solutions principal at Microsoft Corporation. “We take an application and test it out and make sure we understand the value and make sure everyone is on the same page.”
In the end, it is all about everyone knowing the end goal is to produce product in the most efficient, cost effective and profitable fashion.
“When I talk to customers it is OT that creates value,” Schierholz said. “Other companies have advanced IT security, but process is a black box. Some companies are now mixing teams.”