Security Experts:

ISA Automation Week Conference Wrap Up

What is the state of cyber security in critical infrastructure?  Still immature by most standards, but improving steadily thanks to a strong effort from industry.  That was the message received during last week’s ISA Automation Week conference in Nashville, TN. In my previous report on the opening keynote, the importance of the automation to a company’s productivity and bottom line was lauded, and guidance on how to measure that success was provided. On day two and three of the conference, the critical role of industrial automation continued to be a common theme throughout the Industrial Network Security track. Securing critical infrastructure is a responsibility that begins in Operational Technology (OT), and while IT groups and contractors can and should play an important role in implementing cyber security controls, the ownership of the problem and the solution rests solidly in OT.

To those who have followed industrial cyber security for any period of time, this represents a subtle but positive change. It was punctuated by a second powerful Keynote from Major General Robert Wheeler, Deputy Chief Information Officer C4 & IIC. Like Wheeler’s delivery, which was fast and energetic, his presentation drove home the rapid-response requirements of military information operations.  Missions are difficult and complex, and patching may need to happen in real-time, on the move, and even under fire. The message returned again and again to what Wheeler referred to as ‘Speed of Change’, without which our nation would not be able to stay ahead.

To an industry that is often accused of moving incredibly slow, and that resists change like a toddler resists broccoli, this was a welcome example of adaptability in the face of adversity. Control systems are large and complex, highly coordinated systems.  The DoD is large and complex, too. Over 3.7 million people, in thousands of locations, across 163 countries, in hundreds of thousands of facilitates. A successful cyber security strategy at this scale is certainly encouraging—if they can do it, surely we can, too?

Automation systems can and should be secured against cyber threats, the tools and methodologies are being tailored to suit the needs of automation, and the operations and maintenance personal are slowly but surely building a new repertoire of skills.  In short, the industry is motivated to implement change in order to prevent risk; it is also full of intelligent and clever people.  It is an encouraging equation. 

Oil and Cybersecurity

This was perhaps most evident during a discussion led by Ayman AL-Issa of ADMA-OPCO. The technical and operational strategies of the Digital Oil Field—as they are in Wheeler’s strategy—embrace connectivity and communications.  Increased connectivity, after all, can provide safety and operational benefits, and actually minimize security risks.  By wrapping connectivity in a strong defense-in-depth strategy, we can have our proverbial cake and eat it, too. 

Ayman AL-Issa is a pioneer of increased automation in the oil industry, promoting secure, centralized control and improved end-to-end process visibility.  His work primarily improves safety, but also increases reliability and efficiency.  “When we are walking on mines,” he states, “our first mistake is our last mistake.”

This is a welcome change from the industry’s past dependence upon the mythical “air gap,” where communications and connectivity is shunned.  Instead of depending on isolation and obscurity for security, there seemed to be a general acceptance of the opposite paradigm: that careful and controlled communications can improve security.  

When done correctly, connectivity that is provided to increase operational visibility can also provide increased security visibility.  In the words of Ashok Dasgupta, Principle Engineer and MITSO at Hunstman, “Security is visibility, and visibility is security.”

There’s a long way to go before IACS security reaches the level of maturity that’s seen in the DoD, but with open and intelligent discussions of cyber threats, defenses, policies and people, the industry is definitely heading in the right direction.

view counter
Eric D. Knapp (@ericdknapp) is a recognized expert in industrial control systems cyber security, and continues to drive the adoption of new security technology in order to promote safer and more reliable automation infrastructures. Eric is currently the Director of Cyber Security Solutions and Technology for Honeywell, and is the Chief Technical Advisor, North America for the Industrial Cybersecurity Center. He is also the author of “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA and Other Industrial Control Systems.” His new book, “Applied Cyber Security for Smart Grids” was co-authored with Raj Samani, McAfee CTO EMEA. The opinions expressed here represent Eric's own and are not those of his employer.