PAS: Change Security Conversation

Wednesday, May 28, 2014 @ 04:05 PM gHale

By Gregory Hale
Fear mongering was always a given when it comes to security. It is simple to talk about the bad guys lurking just waiting to pounce, but there has often not been enough to back up the talk.

“We have to change the conversation. We need less FUD — fear, uncertainty and doubt — and focus on process capability and potential consequences,” said Eric Cosman, operations IT consulting engineer at The Dow Chemical Company during his talk last Wednesday at the 2014 PAS Technology Conference in Houston. “You have to know the bad things that can happen, plus you need to speak in plain language, not ‘geek speak.’ You also need to know what you are trying to achieve and why.”

PAS: Visualizing Data; Automating Compliance
PAS: Knowledge in Context
PAS: Security is a Safety Issue
PAS: Connecting the Dots

That is an important goal because of the abundance of information that is floating around these days. However, When security first became established as an important element in control automation, there was a scarcity of information.

“There is almost too much information available and that can be confusing to people,” Cosman said. “Before there was not enough information.”

In dealing with information, the old discussion arises about the rocky relationship between Information Technology (IT) and engineering (or operations technology, OT). “An effective relationship is key,” Cosman said.

“The IT and OT issue has been around forever. Understanding it is essential for success in many areas including security. The distinction is real. It is always fund to take an IT guy out of the ‘head shed’ and take them out to the plant floor. When people work with something that moves, they don’t want to go back.

Plant engineers, Cosman said, do not want to deal with automation system security. Rather, they want to focus on ensuring the system is making the most product possible. They really want security experts to focus on keeping the bad guys out and making sure the system stays up and running.

“Security professionals are people paid to be paranoid,” Cosman said.

In addition to continuing to have their heads on a swivel, they have to know some common questions about the system and the environment. Questions like:
• Separate or interconnected systems
• What are the real threats
• Change management, patching
• Manage risk
• What products are suitable
• IT or engineering (OT) in control of the network

Knowing what questions to ask and what to look for leads to the next level and that is managing risk. Risk, Cosman said, equals threat, plus vulnerability, plus consequence.

Each element has a certain response from a specific perspective.

“We have to focus on consequence. We need to know what could happen. We as asset owners need to know this best. Be careful when you hear ‘that can’t happen here.’ People make mistakes,” Cosman said.

In short, he said, there is a strong relationship between security analysis and safety analysis.

“It all comes down to people, process and technology. Identify objectives and establish and implement measurements.”

Leave a Reply

You must be logged in to post a comment.