Cyber Adds to Downtime Costs: ARC-SANS

Wednesday, December 6, 2017 @ 04:12 PM gHale


By Gregory Hale
Manufacturers understand the cost of downtime, but when you add a cyber incident into the mix, costs could quickly spiral out of control if there is not a solid security plan in place.

“(Security) awareness is increasing and the connection that needs to be made is asset owners have been long aware of consequences they want to avoid, but the connection that needs to be made is those consequences can be precipitated by means other than they have anticipated where they might have in the past focused on physical equipment failure now we are educating them and they are aware a cyber incident — be they deliberate attacks or inadvertent incident — could cause the same problem,” said Eric Cosman, a cyber security expert with ARC Advisory Group during a podcast with the SANS Institute. “That is a positive development.”

RELATED STORIES
IT/OT Convergence, a SANS Focus
ARC-SANS: Security Education for Industry
ROK: Security Backdrop to Connected Plant
Cyber PHA Secures Safety

This past June, ARC and SANS agreed on a collaboration to help educate and train the manufacturing automation industry on the dynamic and evolving cybersecurity environment and they are conducting a series of podcasts with ISSSource to inform the industry on key security issues.

When users come to grips with understanding downtime costs as they relate to cyber, that could lead them to a discussion about a security return on investment (ROI).

“Security investments are really good business,” said Doug Wylie, director at SANS Institute. “Making an investment in security is really aiding us in risk avoidance. It accelerates our ability to make sure we are addressing risk so we can respond and recover.”

Yes, technologies are available to help deal with security issues, but Wylie said security all comes down to people.

“It is a people problem first. When we are making our investments, the first dollars spent should be oriented toward people to make solid decisions to address downtime and make sure we are getting a return on investment,” Wylie said.

Looking at ROI and understanding the cost of downtime is an end-point of a security issue, but before end users jump into a security program, they need to start somewhere.

“The first thing they have to do is understand what it is they are trying to secure,” Cosman said. “It is very common to see they don’t have an active description of what they have in their facilities. There is a tendency sometimes for people to look for the silver bullet, ‘tell me what tool I have to implement to keep my facility secure.’ Unfortunately, it is not that simple. If you go to technology first, you are probably going to spend money you don’t need to spend and you will get less than a desirable result. So, you have to focus on the assets and the processes you use and the people. Once you have that foundation in place then you can start to look at specific tools and technologies to make your situation better.”

Security is such a dynamic environment, it is hard for manufacturing automation professionals to step away from the everyday work load, but there are approaches they can take to ensure a secure workspace.

“OT Companies are very accustomed to using continuous improvement models in their process — striving for enhanced efficiency and productivity,” Wylie said. “In order for progress to be made, establishing a baseline of where an organization is remains essential. It is considering all facets of risk that could affect the operation and the main objective of the industrial control system. We also have to accept the fact there will be setbacks and by using continuous improvement models, we can learn from those issues and make sure we are not going to complete past mistakes.”

Along the lines of that ever-evolving security environment, Cosman said, “security is not a project it is a process, by implementing that continuous improvement cycle again and again, you move up the ladder of security performance.”

To expand on the security message, ARC Advisory Group will hold its the 22nd annual conference Feb. 12-15 in Orlando, FL, and the 13th annual SANS ICS Summit will also be held in Orlando, March 19-20.



Leave a Reply

You must be logged in to post a comment.