By Gregory Hale
Larry Spoonemore knows the advantages of cyber security go beyond just securing the plant. He knows it can be a productivity enhancer.
“You will find if you manage the issues and over a period of time, you will improve productivity,” said Spoonemore, the control system integrity coordinator at energy provider Southern Company during his talk Tuesday on Automated Management of Cyber Security Assets at the PAS Technical Conference in Houston.
Southern Co. wanted to find out just how vulnerable they were, so they decided to run a test.
That test involved bringing in an IT person to see if he could get into their system and change control parameters.
“Within 15 minutes he was able to get in and he was able to reset all the control valves,” Spoonemore said. “That forced us to inventory our access points.”
He said the company went and took that inventory of their assets and ended up taking a snapshot of all the points. It took them two years to get to the point where they were confident they had that snapshot. The problem was the snapshot of their access point was two years old and quite a bit changed over that period of time.
“After a long determination to see if we were vulnerable, we determined we need a security program, not just one tool or device,” he said.
They also decided to automate the collection of system data points since it was a changing dynamic environment. They called their system the Control System Integrity (CSI). But, he said, you can have all the technology you want, in the end, security comes down to people.
“Cyber security is not a computer problem, it is a people problem,” Spoonemore said. People have to know and understand the environment they are facing and be ready to tackle the challenges, not run away from them.
With more people facing the security issue, companies are able to become more productive. Spoonemore said by implementing a security program, which included CSI, they were able to generate 8 to 15 percent savings in man year per operations.