Emerson: Talking Security Assessment

Wednesday, October 10, 2018 @ 05:10 PM gHale

By Gregory Hale
Making a shift toward digital transformation cannot occur without a solid cybersecurity plan, and the problem is there are plenty of manufacturers out there today that are just beginning that process.

No one will deny starting to assess cybersecurity readiness for a single site can be daunting, but there is hope. All any user has to really start with is doing a basic assessment of what they have and what it is connected to.

Emerson: Safety Location Awareness
Emerson: Digital Transformation Taking Hold
Emerson Deals for GE’s Intelligent Platforms
Indegy Releases Awareness Video Series

When that occurs, then the user can conduct upfront planning and create a roadmap for a course of action.

“Some users do not feel they are in an unsafe place,” said Rick Gorskie, a global manager for cybersecurity at Emerson Automation Solutions during a presentation entitled, “Assessing Cybersecurity Readiness: From a Single Site to an Entire Enterprise” at the Emerson Global Users Exchange in San Antonio, TX, last week. “There are working models of people thinking IT infrastructure would provide protection. Many people think it is IT’s job to handle security. I am here to say that is not the case.”

While Emerson always talked about cybersecurity at previous user group conferences, this year’s effort was impressive in the breadth of coverage they gave the subject.

Along those lines, Gorskie said he has met with plenty of his customers and they feel their security posture is better than average. But the reality is that may be more of a pipedream than anything else.

That is why he feels manufacturers should start off with a basic assessment of their site.
There are seven key categories/vectors user should look at:
1. Network security
2. Workstation hardening
3. User account management
4. Patch and security management
5. Physical and perimeter security
6. Security monitoring
7. Data management

Once that assessment comes out there should be a report looking at what issues should be addressed first and that is the beginning of the journey toward a more secure environment.

“Most users will be ready to start immediately after doing an assessment,” Gorskie said.

In addition, users need to understand one of the biggest issues facing them and that is patching. Patching has been an ongoing issue for years and with continuous processes, like a refinery, running for years on end, end users don’t feel they have time to implement patches. But with ransomware incidents like WannaCry and NotPetya that worked off a patched Microsoft vulnerability, manufacturers felt the crush of not patching a patched vulnerability. It cost some companies hundreds of millions of dollars.

“Patching the most important thing to do, and we don’t do it,” he said.

Once the user is ready to start their cybersecurity journey, they need to move to create policies and procedures, Gorskie said.

“It is not rocket science, it is something we do every day,” he said.

Gorskie related creating security procedures to safety procedures.

“If you don’t follow safety procedures, you will eventually be let go,” he said. “Security should be the same way. It is about doing the right thing and making sure you follow it.”

While he said OT security is different than IT security, there needs to be a change in mindset on the plant floor. The reality is there are plenty of tasks IT people do on a daily basis, Gorskie said, but there are some things OT does.

“Cybersecurity is not a set it and forget it,” Gorskie said. “We use some of the IT techniques and apply it to the OT space.”

When it comes to security, manufacturers can’t just have security for security’s sake, rather they need to incorporate security into desired business results.

But in the end, “it all starts with a basic cybersecurity assessment. Do the assessment. Start the journey.”

Leave a Reply

You must be logged in to post a comment.