Design cybersecurity plan for an automation project from the beginning

In the future, automation environments will need a cybersecurity plan designed from the beginning, which means companies will have to think about the process differently.
By Gregory Hale, ISSSource November 20, 2016

Moving forward, the automation environment needs to be cyber secure by design. That means not continuing to put firewalls on top of firewalls and barriers on top of barriers; security needs to be designed in from the beginning.

Users and integrators keep bolting on more and more security which helps keep things secure, but it can become way too cumbersome.

"If we keep going this way, we will have a secure system that does a little bit of process control," said Sandy Vasser retired IC&E Manager at ExxonMobil Development Corp. during his keynote address Tuesday at the Yokogawa Users Conference and Exhibition in Orlando.

Vasser’s talk was another discussion he had on an initiative ExxonMobil started called, "It Just Happens."

The movement started five years ago, when he said, "We had to dramatically change the way we do projects."

At first, the focus was to identify best practices, incorporate lessons learned, develop procedures and follow procedures from project to project.

Then, they adapted to the main automation contractor (MAC) model, which they were able to get that into 17 projects and it really lowered costs, he said. While some things had been accomplished, automation remained on a critical path.

One of the main stumbling blocks was the constant level of changes that would take place. In addition, there were dependencies on other disciplines on a project. "It resulted in constant rework," Vasser said.

All of this rework required extraordinary measures to deliver projects, Vasser said. Costs and schedules were managed but they would continue to rise and it kept growing.

Customization woes

Part of the problem hindering projects was the level of customization that went on at all times.

"This was the most singular biggest problem we had on a project," Vasser said. "We had to rely on standard solutions. Customization created all sorts of problems for us. We had to simplify, eliminate or automate processes. Reduce the number of dependencies, reduce the amount of automation generated documentation, and develop better trust with suppliers."

Vasser said they had to work with suppliers to save time. So they wanted to come up with one specification and they could work off of that one spec for all projects. Key areas they would focus on included:

  • Safety and cybersecurity
  • Areas with a lot of customization
  • Areas where an excessive amount of time and/or resources are used
  • Areas where there is a lot of rework
  • Areas where there are dependencies on other disciplines.

ExxonMobil came up with a list of key automation enablers that focused on those key areas:

  • Smart and configurable input/output (I/O) in standard cabinets
  • Virtualization
  • Auto direct, auto interrogate, auto configure, auto enable, auto document I/O
  • SIS Logic Solver
  • Seamless interrogation between automation and electrical
  • Simplified package
  • Wireless field instrument
  • Increased use of dc power. 

Vasser said Yokogawa was very responsive and they came up with: Network I/O for PCS and safety instrumented systems (SIS) in standard cabinets and/or junction boxes; virtualization; agile project execution (APE); simplified procedures for commissioning; improved integration between automation and electrical; simplified package interface solution, and wireless field instruments.

"We are trying to find ways to improve processes," Vasser said. "As we started thinking differently, we had to put all the old practices aside and think differently."

The industry will learn in due time whether ExxonMobil’s approach for the 21st century works or not, but at least they know something needs to be done.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on Edited by Chris Vavra, production editor, CFE Media, Control

ONLINE extra

See additional stories from ISSSource about the IIoT linked below.