Cyber Security: Where Does the Reasoning Begin?

By Bill Lydon, Editor, Automation.com
I recently witnessed the most useful cyber security presentation I have seen, to date, at the Schneider Connect 2016 conference. The presentation, given by Gary Williams, Sr. Director, Technology, Cybersecurity, and Communications, essentially answered the important question that my AC /DC fundamentals professor would always ask to start a topic: Where does the reasoning begin?
Usually when I hear cybersecurity presentations, the speakers talk about serious consequences of cyber security and then overwhelm people, who are not familiar with the topic, with deep levels of details and intricacies. Williams definitely addressed the consequences. “In January of this year, it was calculated that there were 300,000 new malware per day” Williams shared, “As of yesterday, there were 700,000 per day with 30-% delivered in PDF documents.” He also presented statistics from Dimensional Research, showing that cybercrimes cost energy and utilities companies an average of $13.2 million each year, for lost business and damaged equipment. Further than that, 47% of energy organizations reported attacks, the highest among all corporate sectors.
Then, perhaps in reflections of his deep military and industry experience, Williams provided a process for cyber security protection.
The Williams Process
Gary Williams presents a cyber security process.
Williams noted that, “cyber security is not a project,” it is an ongoing process, one that everyone in the company is responsible for. “Be as aggressive as the hackers,” Williams instructed his audience and then used “AGGRESSIVE” as an acronym for his cybersecurity steps. His acronym for cybersecurity went as follows:
A – Adopt: Adopt a standard. Schneider Electric, for example, has adopted IEC 62443 since it applies to industries they serve. This standard adoption enables an organization to have a common vocabulary, throughout the company and the world.
G – Gather: Determine the cyber security controls that pertain to your industry and functions.
G – Gap analysis: Determine where you want to be and where your cyber security protection is today. A gap analysis between these two points, helps organizations really understand their systems and what is required to meet the goal. “This is where you find the dirty laundry,” described Williams, “It is better for you to do this task than calling in a third party.”
R – Risk and threat assessment: Which of those gaps are critical to your business, operations, and environment? Once this is determined, a priority list should be created for resources and investment utilization.
E - Execute mitigation: “As you are executing mitigation, issues will come up that were not found in the gap analysis,” explained Williams, “Record them and do an autopsy.” He went on to explain that the recorded evidence is what is reported to management in order to give them the needed information to understand the threats and the required investments.
S – Survey the complete system: “Collect configuration files on firewalls, switches, and interfaces which are essential to recover from an intrusion or attack,” emphasized Williams
S – Store: Store configuration files securely on and off-site. Williams impressed that this information needs to be accessible within an acceptable timeframe for recovery. “Having it backed up is all well and good,” he stated, “But you need to practice the recovery as often as possible.”
I – Inform all stakeholders: “If you inform them, management will see the value of what they are getting from their investment and understand what the risk is without maintaining protection.”
V – Verify on a regular basis: Cyber security threats are dynamic, as Williams pointed out. “Cyber security threats are constantly changing, which means the threat vectors are changing.” Williams described, "what you put in today to secure system is not necessarily capable of securing it tomorrow.” He also suggested including everyone in cybersecurity efforts, even if they weren’t traditionally involved in these areas. Williams stated that doing this “will make them more aware and they become people that will protect systems.”
E – Educate everyone: “Education is probably the most important function,” affirmed Williams, “The two engineers in your control room, if educated, are your first line of defense, they should be able to isolate and identify threats and then you can call in the experts.”
Zones & Conduits
Williams believes that configuring a system, using the principles of ISA99 and IEC 62443, into zones that conform to the familiar five layer model. This segregates functional areas, where information conduits communicate, between levels as the most productive organizing principle. It is important to remember that with the proliferation of communication networks, including wireless, there may be multiple conduits between levels that need to be considered for cyber security. Using a standard architecture enables a common view of systems, segregation, and approach.
Five Layer Model
Leve 5 Enterprise
Level 4 Site Business Planning
Level 3 Site manufacturing Operations
Level 2 Area Supervisory Control
Level 1 Basic Process Control
Level 0 Field Instrumentation
The use of multiple zones within a level is used to group areas together for protection using separate conduits for each.
Cyber security, as Williams drove home throughout the presentation, is an ongoing sleepless task for today’s businesses. “Cyber security is a moving target and the standards are nothing more than a guidance,” Williams warned in closing, “Be sure to seek cyber security experts, when you face new challenges.”
Related Articles
-
Cyber Breach Insurance for Manufacturer Loss Protection
-
Worldwide Manufacturing Technology Changes
-
Automation & Control Trends in 2016
-
Automation Professionals' Business Role
-
Cyber Security Lessons from a Military Leader

Check out our free e-newsletters
to read more great articles.
- Posted in:
- Article
- Related Portals:
- Advancing Automation using IIoT and Industry 4.0 Concepts, Cybersecurity, Industrial Networks
MORE ARTICLES
-
Lean Manufacturing and the Global Digital Process Automation Market
By Thomas R. Cutler
Digital Visual Management on the manufacturing plant floor is secure by creating virtual meeting rooms for real-time, 24/7,... -
Inside the Top Causes of PLC Control System Failure
By James Davey, Boulting Technology
Despite their resilience and rugged design, PLC-based control systems can still break down and their failure... -
Network Monitoring: Passive, Active or Both
By Zane Blomgren, Tripwire
There is little doubt that the need for OT operators to adapt to stronger cyber security postures is getting... -
Making the IoT Work for Test
By Mike Santori, National Instruments
The IoT and IIoT are making test more complex. IoT technologies can help address automated test challenges.... -
To CNC or not to CNC?
By Jonathan Wilkins
In industry, both 3D printing and CNC machining allow manufacturers to produce complex parts but sometimes it can be difficult...
RELATED
-
Softomotive announces Softomotive’s RPA Academy online learning portal
The Softomotive Academy is designed to improve the employability quotient of professionals and developers. It provides them with the opportunity to...
-
ISA announces final call for Educational Foundation Scholarship applications
University students who have potential in the field of automation should submit an application. All applications must be submitted no later than...
-
OSI to help Spanish power company enhance SCADA/Generation Management System
This system with replace an aging SCADA/GMS currently servicing the Balearic and Canary Islands, two Spanish archipelagos in the Mediterranean Sea...
-
Beckhoff Automation announces Kevin Barker as President
As the new president, Barker will oversee all sales, engineering, marketing and administrative operations from the headquarters of Beckhoff...
-
Dassault Systèmes announces acquisition of elecworks automation design software product line...
The acquisition of the elecworks assets will streamline and boost Dassault Systèmes’ development of an integrated mechatronics solution on the...