Security Experts:

Connect with us

Hi, what are you looking for?


Security Architecture

ISA Automation Week Day One Wrap Up: Building an ROI for Industrial Cyber Security

Building an ROI for Industrial Cyber Security? Start by Measuring the Business Performance of Real-Time Systems.

Building an ROI for Industrial Cyber Security? Start by Measuring the Business Performance of Real-Time Systems.

Today marked the first full day of ISA Automation Week 2013.  While attendance seemed low, no doubt due to the overlap with the fall ICS-JWG conference, the energy was high and the sessions have been spot on.

Dr. Peter Martin of Invensys delivered an important message about performance measurement in today’s ISA Automation Week Keynote: Production is one of, if not the highest contributors to a company’s bottom line.  However, in current corporate reporting practices, the impact of real-time production can be invisible to the executive layer.  A CFO may report on the financial impact of monthly operations, but real-time metrics (or even hourly or daily) simply aren’t produced in manner digestible to corporate officers and bean counters.  This is a real concern that I’ve observed first-hand: often the important minutia is overlooked, making process improvements—from safety, to production, to security—seem like a corporate burden rather than a benefit. 

 ISA Automation Week NewsAlthough Dr. Martin didn’t speak to cyber security requirements per se, cyber security is definitely a production improvement that can easily be mistaken for a corporate burden.  The keynote reminded me of conversations with Smart Grid Security’s Andy Bochman, who is a vocal advocate of top-down cyber security.  Simply put, unless cyber security becomes a boardroom requirement, it can never be fully and effectively implemented.  Unless cyber security can be measured in terms of business performance, the boardroom will never fully understand, or care.

To paraphrase Dr. Martin’s words, “anything other than real-time measurement is, by definition, out of control.” Luckily, the same logic used to measure production metrics in real time can be easily adapted to produce business performance metrics in real-time.  These can feed up to daily measurements (via a Historian), and ultimately to monthly measurements, pre-translated for the CFO.  

This is an important but often overlooked consideration, and to many it represents an entirely new perspective on industrial automation requirements.  It’s especially important because—as subsequent sessions made clear—the current state of industry cyber security is leaving systems highly vulnerable.  Dropping a firewall in place at the IT/OT perimeter isn’t good enough anymore.  Michael Firstenberg of Waterfall Security presented not one but thirteen ways to bypass a firewall.  Later, Eric Byres of Tofino discussed the inadequacy of perimeter security, leading an active discussion on how to implement the ISA-99 (now IEC 62443) zone and conduit model, using tiered segmentation as well as defense-in-depth. 

Implementing a more mature cyber security profile within automation means an investment in both time and resources.  Being able to measure business performance in real-time is the first step in justifying the ROI of this much-needed increase in cyber security controls.

Written By

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...