ARC-SANS: Security Education for Industry

Tuesday, September 19, 2017 @ 11:09 AM gHale


By Gregory Hale
As cybersecurity awareness continues surging to new heights, education and training appear to be joining hand in hand.

The next step in the march toward a secure environment is for manufacturers to get activated and ensure they have a well thought out cybersecurity plan moving forward.

RELATED STORIES
ICSJWG: Putting Numbers Behind Risk
ICSJWG: Change in Security Approach Needed
Power Grid Compromise
Fighting FUD from DC

That falls in line with the change occurring throughout the manufacturing automation sector, with new ways manufacturers operate, use technology, boost connectivity, and how they develop new partnerships.

That is one reason why ARC Advisory Group and SANS Institute agreed on a collaboration this past June to help educate and train the manufacturing automation industry on the dynamic and evolving cybersecurity environment.

To explain the collaboration and talk about where the industry is headed, Sid Snitkin, vice president at ARC and Doug Wylie, director at SANS joined in a podcast with ISSSource to talk about the June announcement.

With manufacturers becoming more aware of security issues and understanding attacks can come from outside the organization as well as inside, the idea of organizations being vulnerable can paralyze implementing any kind of security solution.

“People are concerned from both sides of the issue and I think rightfully so,” Snitkin said. “Attacks from both sides can compromise a plant’s safety and productivity. One way for companies to protect against that is for them to develop proper cybersecurity strategies that cover people, processes and technology issues. The good news is we see a lot of companies are aware of the challenge and they have invested in the technologies, but they don’t seem to be getting the security benefits they expected. The lack of people and cybersecurity expertise is one of those problems and it is one of the reason why we teamed up with SANs to address these issues.”

Along those lines, with the awareness levels skyrocketing, there is a rather wide assortment of levels of training needed.

“There is no one single answer about educating people about the nuances and the risks and threats out there,” Wylie said. “There are engineers, operators and technicians interacting with these systems, they carry responsibility and they carry a capability of being proactive to mitigate risks to see things coming and to take rapid actions. The senior levels of the organization have a need to know about risks that affect the organization so communications from operations into the business enterprise up to the enterprise is imperative. When we look at the people process and technology, the people are the important factor.”

Critical infrastructure sectors like oil and gas are leading the pack when it comes to cybersecurity training right now, but other industries are close behind.

“Oil and gas were very quick adopters because of risks affecting their systems, especially cybersecurity risks,” Wylie said. “The industry looked at risk from a safety perspective for a long time and now they equate that with cyber security.”

Power generation, critical manufacturing, food and beverage, and bottling are right behind because they understand the risk, but they also understand the cost of downtime, Wylie said.

Productivity and downtime are the focus, Snitkin said, who added new technologies are hitting the market, but people need to understand and use the technology to their advantage.

“We have developed the ARC Maturity Model and we find manufacturers say, please, we have enough technology, what we need is people to maintain the technology,” Snitkin said. “One of the things we do with customers is they are going out and buying things and thinking technology will solve cybersecurity — all I have to do is buy technology. One thing we have done is help companies rationalize what they have by saying here are the steps you have to go through to secure your plants what you need to do is have the resources to get the value you have invested in to get to the next step. If you don’t have the people, don’t go to the next step. It is just not a technology issue, it is a sequencing issue and a strategic issue.”

Education and training help understand what is useful.

“I think back to coming out of school, I felt so prepared to take on the world and use all the skill I learned, but I realized about the need for continuous education,” Wylie said. “That is extremely important when it comes to cybersecurity as it affects industry because the risks and threats are constant moving targets.”

Click here to download the entire podcast.



Leave a Reply

You must be logged in to post a comment.