Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

ISA Automation Week Conference Wrap Up

What is the state of cyber security in critical infrastructure?  Still immature by most standards, but improving steadily thanks to a strong effort from industry.  That was the message received during last week’s ISA Automation Week conference in Nashville, TN. In my

What is the state of cyber security in critical infrastructure?  Still immature by most standards, but improving steadily thanks to a strong effort from industry.  That was the message received during last week’s ISA Automation Week conference in Nashville, TN. In my previous report on the opening keynote, the importance of the automation to a company’s productivity and bottom line was lauded, and guidance on how to measure that success was provided. On day two and three of the conference, the critical role of industrial automation continued to be a common theme throughout the Industrial Network Security track. Securing critical infrastructure is a responsibility that begins in Operational Technology (OT), and while IT groups and contractors can and should play an important role in implementing cyber security controls, the ownership of the problem and the solution rests solidly in OT.

To those who have followed industrial cyber security for any period of time, this represents a subtle but positive change. It was punctuated by a second powerful Keynote from Major General Robert Wheeler, Deputy Chief Information Officer C4 & IIC. Like Wheeler’s delivery, which was fast and energetic, his presentation drove home the rapid-response requirements of military information operations.  Missions are difficult and complex, and patching may need to happen in real-time, on the move, and even under fire. The message returned again and again to what Wheeler referred to as ‘Speed of Change’, without which our nation would not be able to stay ahead.

To an industry that is often accused of moving incredibly slow, and that resists change like a toddler resists broccoli, this was a welcome example of adaptability in the face of adversity. Control systems are large and complex, highly coordinated systems.  The DoD is large and complex, too. Over 3.7 million people, in thousands of locations, across 163 countries, in hundreds of thousands of facilitates. A successful cyber security strategy at this scale is certainly encouraging—if they can do it, surely we can, too?

Automation systems can and should be secured against cyber threats, the tools and methodologies are being tailored to suit the needs of automation, and the operations and maintenance personal are slowly but surely building a new repertoire of skills.  In short, the industry is motivated to implement change in order to prevent risk; it is also full of intelligent and clever people.  It is an encouraging equation. 

Oil and Cybersecurity

This was perhaps most evident during a discussion led by Ayman AL-Issa of ADMA-OPCO. The technical and operational strategies of the Digital Oil Field—as they are in Wheeler’s strategy—embrace connectivity and communications.  Increased connectivity, after all, can provide safety and operational benefits, and actually minimize security risks.  By wrapping connectivity in a strong defense-in-depth strategy, we can have our proverbial cake and eat it, too. 

Ayman AL-Issa is a pioneer of increased automation in the oil industry, promoting secure, centralized control and improved end-to-end process visibility.  His work primarily improves safety, but also increases reliability and efficiency.  “When we are walking on mines,” he states, “our first mistake is our last mistake.”

This is a welcome change from the industry’s past dependence upon the mythical “air gap,” where communications and connectivity is shunned.  Instead of depending on isolation and obscurity for security, there seemed to be a general acceptance of the opposite paradigm: that careful and controlled communications can improve security.  

When done correctly, connectivity that is provided to increase operational visibility can also provide increased security visibility.  In the words of Ashok Dasgupta, Principle Engineer and MITSO at Hunstman, “Security is visibility, and visibility is security.”

Advertisement. Scroll to continue reading.

There’s a long way to go before IACS security reaches the level of maturity that’s seen in the DoD, but with open and intelligent discussions of cyber threats, defenses, policies and people, the industry is definitely heading in the right direction.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet