By Gregory Hale
Levels of cyber security awareness just keep increasing throughout the industry.
“From 2006 when I first started at Invensys people were talking about firewalls and how that made them secure,” Doug Clifton said Tuesday during the Invensys Software Conference and Tech Support Symposium in Dallas, TX. “From 2006 to today you can just see the increase in awareness. The thought process is changing to thinking about installing applications.”
With all the big attacks in the news like Stuxnet, Night Dragon and Shamoon, security awareness obviously has grown with security professionals, but the good news is it has also risen with the rank and file workers on the plant floor.
“You are hearing about security more than just at work,” said Clifton, director of Invensys Operations Management’s Critical Infrastructure Security Practice. “Just yesterday, my kids’ school sent home a note about cyber security. So, it is all around us. Awareness is there.”
“When I started, security was all about being an insurance policy. Today we can also make the network performance much better. The goal is to protect the network from various things – even themselves.”
There are companies that talk about security compliance and some that talk about tactical solutions, but Clifton said they should be somewhere in between where they are compliant to best practices and standards.
As the awareness increases, some people will talk about doing a penetration test to attack a system to find weaknesses. But Clifton talks about doing a vulnerability assessment.
“We want to get the basics introduced,” he said. “After a while we may get to the point of doing a penetration test, but we are not there yet. We want to bring in best practices. We don’t want to focus on the big monster of NIST standards. We want to deal with the basics on how you can protect yourself without breaking the bank. We find we have clients that are not sure what they have that needs protecting.”
He talked about one case where he went into a manufacturer and they told him they were not sure why they needed security at all. They were a small company that was producing a simple product. As it turned out they were making a good bit of revenue off a new type of coating that would ensure their customers would only have to apply it once a year instead of the usual twice a year. That, they said, would save their customers time and money. Clifton then told them, wouldn’t you want to ensure your intellectual property – in this case an industry leading product – would stay in your possession and not fall into the hands of a competitor. That is when they understood why then needed a security program.
“Securing intellectual property is pretty fundamental along with safety of personnel. Not enough people give credence to security intellectual property.”
Yes awareness is on the increase, but often times Clifton and his team have to go into a user and just sit down and have a conversation on their objectives.
Security will mean there will be changes, and it will not be business as usual. The main goal is to not add in levels of complexity. We want to take it and make it more robust and create an environment that is not impactful to their work.
“Going from zero to secure is a pretty big step,” he said. “There are intermittent goals along the way. It is a journey. The further along they are in the journey, the better the questions they ask.”