As I was catching up on my RSS feeds for all the things going on in our world of process automation, I came across a cyber-security podcast interview conducted by Traci Purdum, senior digital editor for Chemical Processing magazine. She interviewed Eric Byres, who is the chief technology officer of Byres Security. I gave the 23-minute podcast a listen yesterday and sent the link to Emerson’s Bob Huba, whom you may recall from earlier cyber security-related posts.
Borrowing a page from my playbook, Bob listened to the podcast during his commute. Eric made some strong points in the podcast that resonated with both Bob and me. Eric noted his perception that chemical plants assume they are more secure than they really are, mainly because the risks are invisible. You don’t really see the risks until something happens. Bob notes:
I agree with Eric for the most part especially the part about needing and following procedures to remain protected. You are never “secure”. There are still many process manufacturers who are waiting for or wanting the technology to solved the security problem for them.
Eric mentioned a great phrase, “security by obscurity”, which painted a very clear picture of one of his points. Some process manufacturers stay with very old, proprietary automation systems hoping to avoid the security issues associated with more modern systems built on commercially available operating systems, databases, communication stacks, etc. He explained that even in these plants, there are Windows-based systems connected in. These connections introduce holes into the hope of remaining invisible.
Eric also makes a strong point that complexity is the enemy of security. To this point, Bob adds:
The part about being simple is a great comment–as you know we have a simple to use firewall for our controllers similar to the one mentioned. We have also introduced our DeltaV Smart Switch with easy to use security features. The DeltaV team strongly believes that “keep it simple” solutions will be the most successful.
One final part of the podcast that struck a chord with Bob:
He is on target that we need to have concerns about the current SCADA security solution movement to treat the SCADA system as an extension of the plant LAN and apply the same solutions. There is great complexity in many of these IT-based solutions that are simply not needed for many SCADA systems. Complex solutions may be necessary in the IT world. In the SCADA world, they just increase the complexity beyond what a control system maintenance person can hope to implement successfully–especially at 3am Sunday morning when something fails. There is almost a greater danger these solutions will create more operations problems than the security threats they are intended to mitigate.
If cyber-security is part of your set of concerns and you’ve got 23 minutes to spare, possibly on your commute, the podcast is worth a listen.