Invensys Talks Unified Cyber Security

Monday, October 18, 2010 @ 03:10 PM gHale

By Gregory Hale
Invensys Operations Management (IOM) wants to give security a more unified approach from the beginning of software code, all the way to the end where its integration unit is working with end users in the plant.
Cyber security is not just a relationship between a customer and a supplier, a true program encompasses quite a few other areas that can mesh together; areas like industry, academia, standards, national laboratories, vendors and the Department of Homeland Security, said Ernie Rakaczky, program manager for control systems cyber security at Invensys at Monday’s opening session at Invensys’ OpsManage’10 user group meeting in Orlando, FL.
“Security has to be a mindset,” Rakaczky said. “We have to think about it from the beginning much like plants think of safety.”
Rakaczky said a successful cyber security program has three major areas of focus. It has a user responsibility of 65 percent; supplier responsibility of 15 percent and a shared responsibility of 20 percent.
One of the biggest challenges facing manufacturers today is the target is constantly moving. “These systems are not like the control systems that last for 20 years,” Rakaczky said. “Time is definitely not on our side.”
One of the big areas for users to get a solid security understanding is with training. “If you go through training you have raised the security profile already without that much effort,” Rakaczky said.
Jim Motes, vice president of IT Security agrees about training.
People working in a low risk areas and do not feel they have to worry about security, “but they don’t understand how things have changed. The value of data is changing,” Motes said.
Only on the job for 10 months at Invensys, Motes sees his job as bringing all security together and making sure everyone is aware and remaining vigilant.
Security works if people understand and remain on the program, but it also helps if security is incorporated from the beginning. That is where Paul Forney comes in. Forney, development security architect, cyber security program at Invensys said “we want to build security from the code up.”
He said normal security calls for: Confidentiality, integrity, availability, authenticity, authorization and non repudiation.
His objectives are to prevent unauthorized changes; prevent misrepresentation; reduce possibility of plant shutdown; protect integrity; prevent loss of genealogy, and ensure reliability.
Going from code to the plant floor is a big step and Doug Clifton, practice leader for the critical infrastructure security practice, said they can get called into a plant and the users doesn’t really know what they need, they just know they need a security solution.
He said there is a difference between his organization and the networking “big guys.”
The networking guys do a fine job in the business environment, “but there is a difference working in the plant.” But that change won’t last forever, he said, as “IT and the control space are merging today.”
Security technology is out there, but it can come down to the people enforcing policy.
“No one solution will fit everything, but it can work by working together,” Rakaczky said.

Leave a Reply

You must be logged in to post a comment.