Simplifying Control System Cyber Security

In a recent Industrial Safety and Security Source blog post, Emerson CTO: Keep Security Simple, Peter Zornio shared his thoughts on trends in the safety and cyber security for process manufacturers.

In the interview, Peter was asked about the uneasy relationship between IT and process engineers that many plants and mills experience. Peter noted some product developments to help, such as:

…switches, for example, preconfigured with security features preset in them. That way when you open a cabinet and look in and see Emerson on it, the equipment is clearly part of a control system and not part of an IT network.

Peter amplified on the differences in perspectives between plant IT and engineering that I discussed in a post, Is Solving World Hunger Easier than Working with Plant IT Security? when he expressed:

I think no matter who ends up in control, they like it when we have done things to delineate the equipment that is the part of the keeping-the-plant-running mission versus the business transaction world, which can take some downtime and then pick up and keep going.

A common request he hears from process automation professionals is that system security is complicated and needs to be simplified. He highlighted some of the work done in the area of control systems [hyperlink added]:

…we have our purpose-built switches and everything is already set and with one command you can electrically turn off all the unused ports. It is mission-built for being the control network switch and we set up everything that is needed and turn off all the stuff we know should be turned off from a security perspective. That way you don’t have to worry about it. It is like an appliance rather than something you need to configure. The same is true with the PCs in our system. When you buy a PC from us, we have everything set up from a security point of view to a much higher level than the default settings that you would get if you just installed Windows from Microsoft. It is all geared toward what should work for our control system.

Peter noted how process manufacturers view security and safety in a similar manner:

…it is something everyone needs to have and it is the right thing to do because it can affect safety. Safety and security are pretty well tied together. I don’t think they look at it as an advantage. They just feel it is something we all must do or it could turn into a big problem – and they would like it to be a no-brainer.

Challenges remain in keeping systems secure. Peter observed:

…everything exists for them to be secure to the best level they can achieve, however our experiences show that a small percentage are actually following all the best practices they need to follow to be secure. I am basing that on data we are actually able to see when we visit control systems we installed and gauge how well they have been keeping up to date installing security patches and closing holes to make systems more secure as vulnerabilities have been exposed.

If you visit the cybersecurity category of this blog, I share some of the recommended best practices to help you establish a process to better secure your plant or mill.

Leave a Reply