We’ve taken a look at potential cyber security threats, “Proactive Approach to Cyber-Security Could Avert Disastrous Shutdowns,” establishing a risk assessment within your organization, “Cyber Security: What’s Your Risk Tolerance?” and in this, part three of this three-part series, it’s time to move. Time to prioritize your commitment both fundamentally and budgetarily to a plan of attack to prevent possible attacks. So, let’s jump right in. Presumably at this juncture, you have already assessed your appetite for risk and are ready to move forward either with incremental change or a complete system upgrade. But where do you start?
“As part of ISA’s continued efforts to meet the growing need of industrial control systems professionals and to expand its global leader outreach into the security realm, ISA has developed a knowledge-based certificate recognition program designed to increase awareness of the ANSI/ISA99 standard,” according to ISA org.
These standards intended to protect critical control systems have led to the ongoing development of ISA/IEC 62443 series of standards on the cyber security of industrial automation and control systems.
Cyber security is an ever-evolving industry, so you want to make sure the subject matter experts you bring in to consult with are up to date on certifications. A prudent decision would be to ensure IEC/ISA 62443 certified employees can design systems to meet IEC/ISA 62443 security requirements. How do they do that? A number of educational and technical steps should follow so not only are you taking stock of potential risks, but also communicating effectively to your entire operational organization to keep things running smoothly. When you’re ready to act plan for the following:
Educate organization on risk mitigation
You’ll recall in our last blog we talked about the importance of getting your leadership team to assess their appetite for risk, but that assessment isn’t enough. One primary duty as you attempt to mitigate the risk is informing your organization about the potential risks and sharing with them a plan to do something about it.
Individual training sessions, highlighting both risk and reality: the risk of an attack happening to your organization and the reality of the sheer number of attacks that seem to be increasing every day, should become a routine element of organizational communication.
Detailed Risk Assessments with Subject Matter Experts (SMEs)
Once you’ve selected highly skilled and certified experts to help your team lead the charge put that competence to work.
Most cyber-security assessments will analyze:
- delivery methodology
- inventory IACS systems
- networks and devices
- software with versions and patch information
- network segmentation
- other factors
Risk assessments also incorporate resilience of the mechanics and constructed conveyances, physical barriers, source product, collection and intake, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) utilized by the system.
A complete operational and maintenance schedule should also consider monitoring practices, financial infrastructure, the use, storage, or handling of various chemicals. That same plan for ongoing operation and maintenance may also include an evaluation of capital and operational needs for risk and resilience management.
Design systems to mitigate risk and meet compliance
No doubt, with the rapid movement in this field, there will be some systems that can be re-configured and others that may require an entirely new design. Process improvements include separating operational manufacturing systems from business systems, utilizing thin management strategies to isolate computers used within a control system, and methodically ensuring software updates will not unnecessarily interrupt production lines. Each of these can significantly impact design practices.
Building safeguards into the design of any new automation needs or updated equipment is a vital component in assuring you can keep up on the latest trends in cyber security.
Install or re-configure systems
Installing these newly designed systems or even re-configuring those that already exist will require careful planning and stellar communication. Whether it’s a food and beverage or pharmaceutical production line, a water/wastewater system, an electrical service grid or even a natural gas production facility, any break in day to day operations can be an obstacle. Clear communication on service calls, potential production line shutdowns and general knowledge about the state of the organization during installations will save you headaches on the backend.
Document and train on all safeguards and systems
In scientific studies there’s a phrase commonly used for every study: verify, verify, verify. When it comes to automated, integrated computer systems, the common language should be document, document, document. Any one small change or large complete upgrade can impact an entire business model. If your operators don’t know what the changes are or how the system is designed or re-configured, a simple blip in the system can quickly turn into a massive failure costing millions of dollars, job shifts and even potentially causing a shift in the focus of a business.
Everything from production operations, system efficiency, personal safety to cyber security is impacted with each slight change and operating with a “Hit by a Bus” theory can ultimately save the day. The theory goes something like this…if I get hit by a bus tomorrow and the company still needs to be running like a well-oiled machine, have I documented and trained others well enough that they won’t miss a beat?
SMEs worth your time will have a systematic approach to documenting every step on the journey and will not only provide you with that detailed documentation, but also work with you to handoff information to frontline operators before they ever go offsite.
When it comes to cyber security specifically, predictive models of what could happen and how you might respond should be considered. Documented response plans in the event of an attack, despite your best efforts, should be included. Cyber security is really everyone’s responsibility especially if your employees are the first gatekeepers of your network.
Even if aging equipment continues to operate seamlessly, as time goes by, the risk organizations take on rises significantly with each passing year. Companies who plan for and execute a planned upgrade will be well-suited for long-term stability and with an eye toward not only updating old equipment, but also designing in the latest cyber security standards will be miles ahead of the competition at every turn.
Review our initial blog posts on cyber security here:
Proactive Approach to Cyber-Security Could Avert Disastrous Shutdowns | Huffman Engineering
Cyber Security: What’s Your Risk Tolerance? | Huffman Engineering
Let the IEC/IAS certified Cyber Security experts at Huffman Engineering be your go-to subject matter experts on cyber security. Request a Quote today by reaching out to our certified engineers.
Mechanical Engineer | IEC/IAS Cyber Certified Risk Assessment Specialist
IT Engineering Specialist
Huffman Engineering, Inc. (HEI) is an engineering services firm specializing in control system integration, design, and engineered studies. Our start-to-finish project expertise includes design, development, implementation, support, testing, and operator training serving industrial customers and municipalities, with a focus on pharmaceuticals, life sciences, utilities, and food & beverage. HEI has a 34-year history of delivering system integration projects and building robust, reliable automation systems for highly regulated industries meeting stringent regulatory requirements including the FDA, USDA, and EPA among others. HEI is a CSIA Certified control systems integration company, with a highly skilled team of electrical/mechanical engineers, and experienced technicians who deliver optimal industrial automation solutions. Based in Lincoln, Nebraska, Huffman Engineering has served the Midwest since 1987.
Making Ideas Work