Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

ISA Automation Week Conference Wrap Up

What is the state of cyber security in critical infrastructure?  Still immature by most standards, but improving steadily thanks to a strong effort from industry.  That was the message received during last week’s ISA Automation Week conference in Nashville, TN. In my

What is the state of cyber security in critical infrastructure?  Still immature by most standards, but improving steadily thanks to a strong effort from industry.  That was the message received during last week’s ISA Automation Week conference in Nashville, TN. In my previous report on the opening keynote, the importance of the automation to a company’s productivity and bottom line was lauded, and guidance on how to measure that success was provided. On day two and three of the conference, the critical role of industrial automation continued to be a common theme throughout the Industrial Network Security track. Securing critical infrastructure is a responsibility that begins in Operational Technology (OT), and while IT groups and contractors can and should play an important role in implementing cyber security controls, the ownership of the problem and the solution rests solidly in OT.

To those who have followed industrial cyber security for any period of time, this represents a subtle but positive change. It was punctuated by a second powerful Keynote from Major General Robert Wheeler, Deputy Chief Information Officer C4 & IIC. Like Wheeler’s delivery, which was fast and energetic, his presentation drove home the rapid-response requirements of military information operations.  Missions are difficult and complex, and patching may need to happen in real-time, on the move, and even under fire. The message returned again and again to what Wheeler referred to as ‘Speed of Change’, without which our nation would not be able to stay ahead.

To an industry that is often accused of moving incredibly slow, and that resists change like a toddler resists broccoli, this was a welcome example of adaptability in the face of adversity. Control systems are large and complex, highly coordinated systems.  The DoD is large and complex, too. Over 3.7 million people, in thousands of locations, across 163 countries, in hundreds of thousands of facilitates. A successful cyber security strategy at this scale is certainly encouraging—if they can do it, surely we can, too?

Automation systems can and should be secured against cyber threats, the tools and methodologies are being tailored to suit the needs of automation, and the operations and maintenance personal are slowly but surely building a new repertoire of skills.  In short, the industry is motivated to implement change in order to prevent risk; it is also full of intelligent and clever people.  It is an encouraging equation. 

Oil and Cybersecurity

This was perhaps most evident during a discussion led by Ayman AL-Issa of ADMA-OPCO. The technical and operational strategies of the Digital Oil Field—as they are in Wheeler’s strategy—embrace connectivity and communications.  Increased connectivity, after all, can provide safety and operational benefits, and actually minimize security risks.  By wrapping connectivity in a strong defense-in-depth strategy, we can have our proverbial cake and eat it, too. 

Ayman AL-Issa is a pioneer of increased automation in the oil industry, promoting secure, centralized control and improved end-to-end process visibility.  His work primarily improves safety, but also increases reliability and efficiency.  “When we are walking on mines,” he states, “our first mistake is our last mistake.”

This is a welcome change from the industry’s past dependence upon the mythical “air gap,” where communications and connectivity is shunned.  Instead of depending on isolation and obscurity for security, there seemed to be a general acceptance of the opposite paradigm: that careful and controlled communications can improve security.  

When done correctly, connectivity that is provided to increase operational visibility can also provide increased security visibility.  In the words of Ashok Dasgupta, Principle Engineer and MITSO at Hunstman, “Security is visibility, and visibility is security.”

There’s a long way to go before IACS security reaches the level of maturity that’s seen in the DoD, but with open and intelligent discussions of cyber threats, defenses, policies and people, the industry is definitely heading in the right direction.

Written By

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).