Emerson’s Bob Huba shared some things to think about in his Emerson Exchange Stuttgart presentation, Implementing a Control System Security Program Using a Familiar Plant Model. His abstract:

Developing a security program for your control system can be frustrating as there does not seem to be a good model of how to do this in a process facility.

This presentation will present a familiar plant program model that can be used to get you started on security and build a foundation on which to increase the maturity of your security over time.

Bob opened sharing his 2 foot rule. If you don’t like his presentation, feel free to use your 2 feet to leave. His focus was to look at security from a human centered design approach.

Standard IT security is not appropriate for control systems. An example is patch update that is automated that loads the patches and reboots when completed. This can’t be done without a plan in place to handle the loss of an operator station during the reboot process.

Bob noted that the biggest fear is the loss of view that makes an operator shutdown the process. A big part of the security problem is people doing insecure things. Examples include plugging in unfamiliar USB sticks and following insecure URL links.

As IT installs more and more complex security solutions, these can cause outages when applied to control systems, where denial of service is dangerous. Security has both technical and people issues to resolve. Like safety programs, security requires people, processes, and technology. Make HSE (health, safety & environment) become HSSE–health, safety, security & environment.

For a security program, train the people who are interfacing with the technology, from operations to maintenance, to project and process engineers. Following the safety program model makes a security program more easy to understand and be embraced by the people who interact with the control and instrumentation.

Also like a safety program, a security program should be localized the plant. It must make sense to everyone involved and not be pushed down from above. Key to implementation is that there is ownership by the people involved in interacting with the systems. IT should be informed and provide auditing to make sure what is identified in the program is being done. It’s a collaborative effort.

The security program begins with a security champion who leads the effort, trains the personnel, liaises with IT organization, and is the person responsible that the program sustains over time.

Bob suggested that the utilities area is a good spot to begin since it impacts the entire production operation. It’s where the key elements of the program can be worked about and successes built as it is expanded plant wide.