Establishing and improving safety, security

Cybersecurity experts share their advice on how improve security networks at manufacturing facilities.

05/14/2016


Maturity of safety systems has huge advantage over implementing a security program. Safety systems, once the babe in the woods, is the wise, grizzled veteran in any manufacturing enterprise, but security, the new kid on the block, needs to reach that same established level-and fast.

There are several ways to narrow that gap.

Policies

"Very first starting point is policies," said Jay Abdallah, EMEA cybersecurity director at Schneider Electric. "That will help us understand whether or not a user has a program in place. Without a program, it is very difficult to build upon the fundamentals of a security program. With policies in place, we can understand if they have already achieved management support. However, what we are seeing out there is that there are still organizations that are missing that critical element, which means we are starting from scratch. We can assist with the creation of policies and the integration of them. Only in steps six or seven do we start talking about technology."

 

Figure 1: Ashland’s Lima plant produces BDO, an intermediate ingredient in common industrial and commercial products. Courtesy: Ashland Inc.

Training 

"As a first step, we always recommend training," said Farshad Hendi, safety services practice lead for Americas and Europe. "You need to identify the competency management, identify the organizational need for what people need to be effective. I believe 100% that training for the team will not be wasted. It will pay for itself."

Standards

"Are you aware of the standards and are they something you are trying to comply to?" Sven Grone, safety services practice lead for Asia Pacific & Middle East at Schneider Electric, said. "If the answer is yes, then we can move forward, if the answer is no, I have never heard of the standard and I don't know what my standards are, then we go down a path of education, so we can build some awareness in the plant."

Starting a program

When planning to implement or improve a safety or security program, users should:

  • Identify the regulatory requirements, future and pending
  • Establish current system status and planned upgrades
  • Assess the risk associated with implementation of various levels of the program
  • Determine current personnel capabilities and any need for external support.

There are some users that are more sophisticated and understand what the targets should be and then go about becoming compliant, Grone said. They also look for pain points to see where they can improve.

"We look at a safety lifecycle assessment study where we come in with our experts over the course of two days, talk to their engineers, managers, operations and maintenance and ask about 200 to 300 questions regarding how they go about their daily operations. We then crunch the numbers and issue a report on how they are doing with recommendations on the highest priority gaps they need to close."

Risk matrix

"One global operating company had to identify at what level of risk their sites were," said Steve Elliott, senior director offer marketing for process automation at Schneider Electric. "They defined a minimum standard and asked: 'Where are we against this for each of the sites?' Next step is to rank the sites, look at the ones with the biggest gap or consequence and prioritize these to get them up to the minimum standard as soon as possible. First, the company had to establish a benchmark and train people accordingly; the site managers, the process safety leads. Secondly, they performed a gap analysis which resulted in a site improvement plan. All of this then had to be implemented and completed.

"In terms of implementation, they needed to look at the top three hazards and eradicate them," Elliott said. "For this, they used a risk matrix, with 'site hazard rating' and 'site maturity' as the two axis. In the risk matrix they plotted each of the assets with the number of total sites, approx. 80 to 90. As in a typical risk matrix everything located in the top right corner was closely examined, these were their high risk, high consequence sites and had to be moved down on the chart. One of the implemented approaches was sharing people across sites. People from a well performing site were moved to influence the sites not doing so well."

Homework

"Pick up the annual report, I guarantee that you will read the word safety within the first three pages," said Nasir Mundh, global director of safety services for process automation at Schneider Electric. "See who is walking the walk and talking the talk. When looking at your 14 elements of OSHA, how many are you really applying yourself? It is one thing to say we haven't had an injury in one million hours, how confident are you that there will not be an injury in the next hour? If the executive states we have a good process in place and we know what we are doing, that is fine. But, when they say I don't know, we ask how can you find out? Do your people know what is happening? do you have a firm grip around it?"

Establish a goal

"The first thing is always to establish a goal," said Joshua Carlson, cybersecurity manager for North America at Schneider Electric. "Sometimes that goal is reflective of an industry guideline or requirement. You will find some of the corporations adopted their own standards saying we will be IEC 62443 compliant. We will be ISO 27000-1 compliant. That framework sets the stage for everything you do from that point forward.

"I would say at the beginning there is always the risk assessment and the gap analysis that occurs," Carlson said. "We are now starting to see organizations asking what is the threat? The likelihood and potential for that threat to happen, equals their risk. If everything is low and there are minimal people, minimal assets and minimal things happening all the time, it then becomes very simple to protect and control."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineeringcvavra@cfemedia.com.

ONLINE extra

See additional stories from ISSSource about cyber security below.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
October 2018
HMI hardware evolution, Data acquisition strategies, Matching motors and drives, Machine vision advice
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

October 2018
2018 Product of the Year; Subsurface data methodologies; Digital twins; Well lifecycle data
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
October 2018
HMI hardware evolution, Data acquisition strategies, Matching motors and drives, Machine vision advice
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

October 2018
2018 Product of the Year; Subsurface data methodologies; Digital twins; Well lifecycle data
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
October 2018
HMI hardware evolution, Data acquisition strategies, Matching motors and drives, Machine vision advice
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

October 2018
2018 Product of the Year; Subsurface data methodologies; Digital twins; Well lifecycle data
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me