Establishing and improving safety, security
Maturity of safety systems has huge advantage over implementing a security program. Safety systems, once the babe in the woods, is the wise, grizzled veteran in any manufacturing enterprise, but security, the new kid on the block, needs to reach that same established level-and fast.
There are several ways to narrow that gap.
"Very first starting point is policies," said Jay Abdallah, EMEA cybersecurity director at Schneider Electric. "That will help us understand whether or not a user has a program in place. Without a program, it is very difficult to build upon the fundamentals of a security program. With policies in place, we can understand if they have already achieved management support. However, what we are seeing out there is that there are still organizations that are missing that critical element, which means we are starting from scratch. We can assist with the creation of policies and the integration of them. Only in steps six or seven do we start talking about technology."
"As a first step, we always recommend training," said Farshad Hendi, safety services practice lead for Americas and Europe. "You need to identify the competency management, identify the organizational need for what people need to be effective. I believe 100% that training for the team will not be wasted. It will pay for itself."
"Are you aware of the standards and are they something you are trying to comply to?" Sven Grone, safety services practice lead for Asia Pacific & Middle East at Schneider Electric, said. "If the answer is yes, then we can move forward, if the answer is no, I have never heard of the standard and I don’t know what my standards are, then we go down a path of education, so we can build some awareness in the plant."
Starting a program
When planning to implement or improve a safety or security program, users should:
- Identify the regulatory requirements, future and pending
- Establish current system status and planned upgrades
- Assess the risk associated with implementation of various levels of the program
- Determine current personnel capabilities and any need for external support.
There are some users that are more sophisticated and understand what the targets should be and then go about becoming compliant, Grone said. They also look for pain points to see where they can improve.
"We look at a safety lifecycle assessment study where we come in with our experts over the course of two days, talk to their engineers, managers, operations and maintenance and ask about 200 to 300 questions regarding how they go about their daily operations. We then crunch the numbers and issue a report on how they are doing with recommendations on the highest priority gaps they need to close."
"One global operating company had to identify at what level of risk their sites were," said Steve Elliott, senior director offer marketing for process automation at Schneider Electric. "They defined a minimum standard and asked: ‘Where are we against this for each of the sites?’ Next step is to rank the sites, look at the ones with the biggest gap or consequence and prioritize these to get them up to the minimum standard as soon as possible. First, the company had to establish a benchmark and train people accordingly; the site managers, the process safety leads. Secondly, they performed a gap analysis which resulted in a site improvement plan. All of this then had to be implemented and completed.
"In terms of implementation, they needed to look at the top three hazards and eradicate them," Elliott said. "For this, they used a risk matrix, with ‘site hazard rating’ and ‘site maturity’ as the two axis. In the risk matrix they plotted each of the assets with the number of total sites, approx. 80 to 90. As in a typical risk matrix everything located in the top right corner was closely examined, these were their high risk, high consequence sites and had to be moved down on the chart. One of the implemented approaches was sharing people across sites. People from a well performing site were moved to influence the sites not doing so well."
"Pick up the annual report, I guarantee that you will read the word safety within the first three pages," said Nasir Mundh, global director of safety services for process automation at Schneider Electric. "See who is walking the walk and talking the talk. When looking at your 14 elements of OSHA, how many are you really applying yourself? It is one thing to say we haven’t had an injury in one million hours, how confident are you that there will not be an injury in the next hour? If the executive states we have a good process in place and we know what we are doing, that is fine. But, when they say I don’t know, we ask how can you find out? Do your people know what is happening? do you have a firm grip around it?"
Establish a goal
"The first thing is always to establish a goal," said Joshua Carlson, cybersecurity manager for North America at Schneider Electric. "Sometimes that goal is reflective of an industry guideline or requirement. You will find some of the corporations adopted their own standards saying we will be IEC 62443 compliant. We will be ISO 27000-1 compliant. That framework sets the stage for everything you do from that point forward.
"I would say at the beginning there is always the risk assessment and the gap analysis that occurs," Carlson said. "We are now starting to see organizations asking what is the threat? The likelihood and potential for that threat to happen, equals their risk. If everything is low and there are minimal people, minimal assets and minimal things happening all the time, it then becomes very simple to protect and control."
Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, firstname.lastname@example.org.
See additional stories from ISSSource about cyber security below.