Emerson: Vital Role of Security Communications

Wednesday, October 14, 2015 @ 06:10 PM gHale

By Gregory Hale
Being able to communicate is such a strong factor when it comes to security, so not only do end users need to have people, processes and technology in place, but they also need to discuss – and understand — what they need in a solution.

“Security is not a set and forget process,” said Jeff Potter, director of security architecture at Emerson Process Management during a Tuesday session entitled “The Myth of Secure Out of the Box” during the 2015 Emerson Global Users Exchange in Denver, CO. “Securing your system out of the box; I am not sure what that means.”

Emerson: Safety, Security Underneath
Unsupported ICS: Not an Easy Upgrade
Age of New and Different
German Steel Mill Attack: Inside Job

At face value the phrase would imply security would end up installed and the solution would work continuously. The problem is, though, security is such a dynamic, evolving environment, end users need to understand the constant care they must take to monitor the system.

Secure out of the box could mean:
• Secure per design and bid specifications
• Secure as delivered
• Secure as commissioned

“If you want a secure PC in your house, there is a long list of things you need to do,” Potter said. “In the business IT environment, things are that much more complicated and you need to establish policies and procedures.” Then add on top of that the industrial control system.

While suppliers and integrators work to install and implement security, in the end, the ultimate responsibility falls on the asset owner.

So along those lines, they need to understand the nuances of what a security program is all about.

“You as the asset owner have to create firewall rules and also understand maintenances policies when you do things like switch configurations and lock all ports to prevent unauthorized devices,” said Bob Huba, recently retired security architect for DeltaV at Emerson during the talk.

You have to create work station hardening polices, manage USB polices, see if you want to add in two-factor authentication, security monitoring, back up and recovery, and maybe network scanning, just to name a few things.

“If I am going to do security out of the box, you will get complex passwords,” Huba said. “If you don’t want that, then you will have to change it. If you don’t ask for things, it won’t happen.”

In short, what Huba was alluding to was asset owners need to be specific in what they want in security because they will only get what they ask for.

“If you don’t put this all in the requirements in the RFQ (request for quote), you will not get everything,” he said. “You have to get out in front and understand everything you want to accomplish.”

For instance, Huba said, if you say you want to be compliant to the standard in the RFQ, that really doesn’t say much of anything.

“If you are compliant to the standard, it doesn’t mean you are secure,” Huba said. “You have to tell us what secure out of the box means to you. We can provide you security out of the box only if you tell us what the box looks like.”