Companies need to formulate a cybersecurity plan

Cybersecurity has made significant strides in terms of companies' awareness, but there is still a long way to go, according to experts at the SANS ICS Security Summit.


Sometimes you can reach your goal by starting from nothing and cobbling together thoughts and ideas piece by piece by piece until it makes connections and the result is a final product.

There is no initial vision, but that comes together after working and living through the experience. Kind of a Monday morning quarterback thing.

Other times there is a vision from the top or someone that had an idea and simply says, here is a plan, let's execute on it and it will help us move forward.

No matter how it comes together, the end result is the mission. When it comes to security, it is amazing how quickly professionals can get mired in the muck of everyday experiences and lose sight of what that mission truly is.

That big picture of every manufacturer is to keep systems up and running, producing product and safeguarding intellectual property and keeping everyone safe. Pretty simple, right?

Security today compared to five years ago—and maybe even a year if you talk to some industry experts—is night and day. Not quite where the industry should be, but further advanced than it was.

"For years, we admired the problem. Today, it is not uncommon when you buy a controller there are more secure enhancements," said Mike Assante, industrial & infrastructure practice ICS/SCADA lead at the SANS Institute, during his keynote at the SANS ICS Security Summit in Orlando, Fla. "Fundamentally, security is being designed into control elements. There are more areas where security has to catch up, but we are getting there. Over time, we saw a combination of skill sets. There is progress."

The days of only adding security in to a proposal only if you are asked about it are long gone because end users are expecting it to be in the solution.

"More companies are putting it in the safety category," Assante said. But in this changing landscape, "It is not a question of progress, but can we keep pace. In a changing landscape, models are changing, we are dynamic. This the main event. More companies are moving toward digital technologies."

What people used to say was the potential for attacks is now falling in line with real attacks on real critical infrastructure.

The most recent attack in the Ukraine is a case in point. In that attack, civilians lost power for just over an hour after a cyber attack against the utility.

"The stakes are growing with expanding attack surfaces," Assante said. "We understand how exposed we are in the architectures. We have seen a shift in motivations and diversity of attacks. We have always known they were possible now we are seeing them demonstrated. We are seeing attacks that are damaging devices at the firmware level."

With the Ukraine attacks used as a barometer, Assante said the security industry has to fall back and use the growth and stability of the safety movement as an aid.

"We have done incredible things with safety," he said. "We have dealt well with accidents, storms and errors. Now the biggest challenge is in the cyber domain. The complexity and the level of abstraction has been difficult to see. Complexity and abstraction of software is creating a challenge. I think we are up to the challenge."

One person living that challenge every day is Sanford Rice, SCADA system developer at Atmos Energy Corporation, a gas pipeline company.

Rice, a control engineer by trade and a relative newcomer to security, talked about tips for those new to ICS security: "Don't panic."

He also laid out a few basic ideas for starting a security program:

  • Start with basics
  • Adopt a culture, treat security like safety
  • Learn how to talk the talk.

"Our mission is to provide information and keep it safe. Our system is designed to be static. Our system does not change, it is simple. We are on the low end of utilization and load," Rice said.

Atmos knows security is a big issue and they are not afraid to invest.

"We have implemented more changes in security than we have in operability and usability," Rice said.

In terms of technology, Rice does not have to go out and reinvent the wheel all the time.

"Commercial off the shelf (COTS) can help. We have been successful along the way and found people that can help. We have used information technology (IT) solutions to make improvements."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource is a CFE Media content partner. Edited by Chris Vavra, CFE Media,

ONLINE extra

See related stories from ISSSource linked below.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me