Security 101: Understand Risk

Thursday, April 21, 2011 @ 01:04 PM gHale

By Gregory Hale
At the end of the day, the basic principle behind security all comes down to assessing risk and prioritizing what you need to protect.

“We know government is picking up on cyber security as they feel they need to protect the critical infrastructure of the nation,” said Bart DeWijs, division cyber security manger for Power System at ABB, during the Thursday morning workshop entitled, “Cyber Security 101: What you need to know about current threats, solutions, standards and more.”

Understanding the risk and not overreacting to it is the first hurdle a user needs to get through, DeWijs said.

“You can say there is no risk, but that would be living in denial,” he said. There is the other end of the spectrum which is to panic and that, too, is way too extreme, he said. “Security is somewhere in the middle.”

One thing the user has to remember is the goal for any security solution is to eliminate any unplanned downtime. “Downtime is money,” he said. “You should not jump on the hype and the fear, but really look at the risk. You really don’t have to protect against everything out there. The majority of incidents are mistakes made by people.”

During the crowded session, DeWijs got down to basics and explained why cyber security is important today for manufacturers.

“We don’t have isolated devices anymore,” he said. “Now we are talking about highly distributed systems that are interconnected. Essentially, modern control systems are specialized IT systems.”

IT systems mean engineers on the plant floor have to work with information technology specialists – a relationship that has not been productive over the years. But these days both sides have to eliminate that friction.

“Effective security requires collaboration and dialogue with vendors and everyone in your organization,” DeWijs said. “We have to collaborate with each other. We can work with IT and they can teach us. We can teach them about what engineers do. We need to teach each other.”

When it comes to security, there are also standards, regulations and compliance issues to deal with. DeWijs listed just a few of the areas to look at. One was the smart grid interoperability panel, another was NERC CIP which deals with North American power utilities, IEC 62351 data communications security, and the ISA99 industrial automation and control standard.

In terms of what users should look for in a security solution, DeWijs said the first thing you should do is look at your system and see what security is already in place. Some of the other items to think about include:
• Accepting responsibility. “Security is everybody’s responsibility and you should take it.”
• Understanding security is all about processes.
• Realizing there is no such thing as 100 percent security.
• Understanding what compliance is all about. “Just because you are in compliance, it doesn’t mean you are secure,” he said.

In many ways, DeWijs said, safety and security are similar. But they can be different at the same time. “In safety, threats and risks can be calculated. You know what you are getting. In security, you cannot measure the threats and risks; they are always changing.”

Leave a Reply

You must be logged in to post a comment.