Emerson CTO: Keep Security Simple

Thursday, May 5, 2011 @ 08:05 AM gHale

Editor’s Note: Peter Zornio, chief technology officer at Emerson Process Management sat down with ISSSource editor Gregory Hale a little bit ago and talked about trends in the safety and security market in the manufacturing automation industry.

ISSSource: There has always been an uneasy relationship between IT and process engineers. From your perspective who owns the security area, and how are the groups getting along?

Zornio: That has been a question that has been asked for 15 years now, ever since we started going with open systems. I honestly can’t say there is an overall trend that seems to be going to one point. We have seen sites where automation departments have become a specialized part of IT, where the IT guys have come and taken over. We have seen other sites where the automation guys may have known more than the IT guys and expanded their scope to include some of Level 3 and the production management networks and chiseled that off and hung on to it. We have seen it go both ways.

Emerson's Peter Zornio

Emerson's Peter Zornio

What I can tell you is, in general, the guys in process automation like us to do some things that make our equipment clearly part of production versus being a part of IT. We have responded by making our switches, for example, preconfigured with security features preset in them. That way when you open a cabinet and look in and see Emerson on it, the equipment is clearly part of a control system and not part of an IT network.

That makes a difference because there is still that attitude difference in terms of criticality of uptime that exists between the process world and the IT world. In the IT world, they are used to sending out an email saying “we will take down the server at 8 o’clock and email will not be available. Have a nice day.” Well, that just doesn’t fly in the production world. I think no matter who ends up in control, they like it when we have done things to delineate the equipment that is the part of the keeping-the-plant-running mission versus the business transaction world, which can take some downtime and then pick up and keep going.

It is not just the production. It is also the systems monitoring for the EPA or other environmental areas. They have to keep the systems on line that are tracking all the EPA data and reporting. If you lose systems that are monitoring the EPA data, that is a huge deal because that could result in big fines.

As I said, it has been ten to 15 years now and we haven’t seen a definitive trend shake out; it goes company by company. It is still shaking itself out.

ISSSource: When you talk to users today are they talking more about security?

Zornio: What they are asking for is ways to make security easier. Right now it is perceived as something that can be achieved; all the tools are in place, but it involves a lot of work. It involves writing best practices and procedures and making sure they are enforced and making sure the technology is in place. What users would like is something that makes it automatic. They like what I call “no brainer security.” On the control system side we have our purpose-built switches and everything is already set and with one command you can electrically turn off all the unused ports. It is mission-built for being the control network switch and we set up everything that is needed and turn off all the stuff we know should be turned off from a security perspective. That way you don’t have to worry about it. It is like an appliance rather than something you need to configure. The same is true with the PCs in our system. When you buy a PC from us, we have everything set up from a security point of view to a much higher level than the default settings that you would get if you just installed Windows from Microsoft. It is all geared toward what should work for our control system. So again, you don’t have think about going in and setting it. You are buying something that is purpose built. We do the same thing with patch management with our Guardian offering. We can come down and look around your system and see what you have installed and tell you “these are the patches that apply for you that we tested, so go ahead and install just these.”

Again, what they are really asking for is “make this easy.” Security is complexity and work that is adding little productivity or value. Managing complexity is a big thing, and what we see with security is that our customers see complexity that really isn’t making a single extra drop of product. The attitude, I would say, is, “Please make it so I don’t have to think about this.” That is really what they would like to see.

ISSSource: They are seeing security as a cost center, not necessarily an area that could make them money?

Zornio: I think it is viewed as a potential liability, not an advantage. It is a huge liability that something has to be done about. But are they thinking, “If our plant is more secure than the other guy’s plant, we’ll keep running while they go down during a cyber attack?” I don’t think anyone is thinking that way. They think of it as more like safety. They think it is something everyone needs to have and it is the right thing to do because it can affect safety. Safety and security are pretty well tied together. I don’t think they look at it as an advantage. They just feel it is something we all must do or it could turn into a big problem – and they would like it to be a no-brainer.

ISSSource: The concept of safety has been around for a long time and cyber security has not. Do you find companies are thinking security is part of their DNA?

Zornio: That mindset is coming in kicking and screaming. It is not something you are excited about spending a bunch of extra money on because you don’t view it as a differentiator for you. But you know you have to. It also depends on the size of the company. The bigger ones are putting in dedicated folks and making sure best practices are going in and things are getting done. In the case of the power industry, they have some very specific regulations now with NERC-CIP being thrust upon them. They have no choice because there are fines and other enforcement that would happen. Again, we can help by making sure that not a lot of extra work is involved, so it will feel like less of a hassle.

Security is a journey and not a destination. That is something else our customers don’t like about security. They like projects. They like to tackle a thing: We put this technology in and we drive on. Security is a lifestyle thing, just as safety is a lifestyle thing. This is an ongoing lifetime expense and effort that needs to be put in.

ISSSource: Do you see the government getting more involved in security across the board?

Zornio: From my perspective, four or five years ago I would have thought that was coming, with the Department of Homeland Security getting more involved with everyone. But the level of involvement seems to have stabilized for now.

ISSSource: No talk about security is complete without discussing Stuxnet. Looking back, just what did Stuxnet mean for the industry?

Zornio: What it did is make it clear that somebody can specifically target any company or any group of users if they have enough detailed knowledge. When Stuxnet first came out, I thought it was a disgruntled inside worker. To me, in all the security stuff I have ever seen, the hardest thing to protect against is an insider with knowledge who is out to get you. At the end of the day, in any security scenario you end up trusting someone or some people, and if that goes south you are in real trouble. It makes it clear that everyone is vulnerable. The other scary thing about Stuxnet, and many newer viruses in general, is when they go in and settle down and wait for instructions. That is a very scary thought.

ISSSource: Are manufacturers secure today?

Zornio: I would say everything exists for them to be secure to the best level they can achieve, however our experiences show that a small percentage are actually following all the best practices they need to follow to be secure. I am basing that on data we are actually able to see when we visit control systems we installed and gauge how well they have been keeping up to date installing security patches and closing holes to make systems more secure as vulnerabilities have been exposed. It is a pretty small percentage today that are really doing a good job of keeping up.

ISSSource: There seems to be a big increase in safety incidents of late. Is it just coincidence or in a down economy are people cutting corners?

Zornio: It’s easy to speculate that some of this is happening because of the cost pressures some of the manufacturing guys have been under. I can’t say that is the case because I am not working in a plant right now. I would also speculate another piece of it would be the experience – what we are calling the brain drain – leaving an organization. You may have less experienced people around who have not seen the realm of circumstances and operating conditions the senior guys have seen and know how to recognize when something is not the way it should be.

The whole safety area, as we have talked about, is a lifestyle kind of thing. There are a lot of technology and tools to help. Obviously we are big in helping in the SIS area and enforcing the IEC standards around that. But then again those are just tools. You can decide to lose weight and buy the best exercise equipment in the world and let it gather dust in the living room. If you don’t take advantage of using it and applying it properly it will not deliver any results for you.

ISSSource: We have seen numbers thrown around the industry that manufacturers are losing around $20 billion a year in safety and security incidents. Do you think that is a solid number?

Zornio: I think it is a reasonable number. I would say the total unplanned downtime is definitely around that number. Are they all safety and security kind of incidents? I don’t know about that. There are also other large contributors. If you also put in “failure to follow the correct procedure” under safety – that is a very large contributor – then I think the number is real. Frequently people do not follow established procedures or those procedures are out of date or not well documented. If somebody is not experienced in starting up a facility after it has been shut down for a long time, that can be a problem. Equipment failure is still a part of unplanned downtime. Also acts of nature, like lightning strikes, are also a big cause behind unplanned downtime. It depends on what you put in safety.

On security, the number revolves around opportunity costs you are losing. That is a hard true number to come up with. That is very different from when you are forced to shut down a plant for a day and you know what the costs are.

3 Responses to “Emerson CTO: Keep Security Simple”

  1. Zornio says, “When Stuxnet first came out, I thought it was a disgruntled inside worker.”

    Indeed, it was a disgruntled worker/saboteur or whatever, right? Stuxnet got into that Iranian plant on a thumb drive, correct?

    The point is, if you can walk the virus past the firewall, the control system is in real trouble.

  2. jlangill says:

    Zornio is very respected in the industry, however I believe that we are only going to move forward with regards to security when vendors are more open and honest about their vulnerbilities and how users can protect their systems. In the safety space, all vendors produce a manual on what you can NOT do if you want a “safe” system that meets certain standards. We need to move in this direction with security as well. It is time to “walk the walk” and allow security vulnerability assessments and security reviews as part of ever vendor shop test (aka FAT/SAT).

  3. […] a recent Industrial Safety and Security Source blog post, Emerson CTO: Keep Security Simple, Peter Zornio shared his thoughts on trends in the safety and cyber security for process […]

Leave a Reply

You must be logged in to post a comment.