Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

ISA Automation Week Day One Wrap Up: Building an ROI for Industrial Cyber Security

Building an ROI for Industrial Cyber Security? Start by Measuring the Business Performance of Real-Time Systems.

Building an ROI for Industrial Cyber Security? Start by Measuring the Business Performance of Real-Time Systems.

Today marked the first full day of ISA Automation Week 2013.  While attendance seemed low, no doubt due to the overlap with the fall ICS-JWG conference, the energy was high and the sessions have been spot on.

Dr. Peter Martin of Invensys delivered an important message about performance measurement in today’s ISA Automation Week Keynote: Production is one of, if not the highest contributors to a company’s bottom line.  However, in current corporate reporting practices, the impact of real-time production can be invisible to the executive layer.  A CFO may report on the financial impact of monthly operations, but real-time metrics (or even hourly or daily) simply aren’t produced in manner digestible to corporate officers and bean counters.  This is a real concern that I’ve observed first-hand: often the important minutia is overlooked, making process improvements—from safety, to production, to security—seem like a corporate burden rather than a benefit. 

 ISA Automation Week NewsAlthough Dr. Martin didn’t speak to cyber security requirements per se, cyber security is definitely a production improvement that can easily be mistaken for a corporate burden.  The keynote reminded me of conversations with Smart Grid Security’s Andy Bochman, who is a vocal advocate of top-down cyber security.  Simply put, unless cyber security becomes a boardroom requirement, it can never be fully and effectively implemented.  Unless cyber security can be measured in terms of business performance, the boardroom will never fully understand, or care.

To paraphrase Dr. Martin’s words, “anything other than real-time measurement is, by definition, out of control.” Luckily, the same logic used to measure production metrics in real time can be easily adapted to produce business performance metrics in real-time.  These can feed up to daily measurements (via a Historian), and ultimately to monthly measurements, pre-translated for the CFO.  

This is an important but often overlooked consideration, and to many it represents an entirely new perspective on industrial automation requirements.  It’s especially important because—as subsequent sessions made clear—the current state of industry cyber security is leaving systems highly vulnerable.  Dropping a firewall in place at the IT/OT perimeter isn’t good enough anymore.  Michael Firstenberg of Waterfall Security presented not one but thirteen ways to bypass a firewall.  Later, Eric Byres of Tofino discussed the inadequacy of perimeter security, leading an active discussion on how to implement the ISA-99 (now IEC 62443) zone and conduit model, using tiered segmentation as well as defense-in-depth. 

Implementing a more mature cyber security profile within automation means an investment in both time and resources.  Being able to measure business performance in real-time is the first step in justifying the ROI of this much-needed increase in cyber security controls.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.