Industrial cyber security in focus at ACI Connect 2014

Six months ago I published an article titled Industrial cybersecurity: is the IT department your friend? In that article I reflected on the questions being asked at a panel on industrial cyber security that I attended and made the following observation as a result:

I think it is true to say that as a whole, the processing, mining and manufacturing industries lack the maturity of security awareness that the general business IT industry has acquired over the years, and so the whole issue can seem very daunting. The publicity around high-profile malware incidents … have raised the profile of cybersecurity as a business need, but also skew the perceptions of the uninitiated into viewing malware and hacking as the main threats to focus on. Vendors across the board are now selling technology squarely aimed at these particular types of threats … This can also lead to the idea that once these technologies have been implemented, then the cybersecurity issue is ‘covered’ - much like the idea that implementing a firewall will magically secure the process network from everything else.

Don’t get me wrong though - malware and hacking are real and present dangers, but they only represent a certain percentage of the things that need to be taken into account in a cybersecurity program.

In other words, approaching the problem directly from this ‘nuts-and-bolts’ level will not achieve much. It is necessary to first understand all the threats that are posed to your organisation (and not just your control system), and assess the risks to your organisation and control systems that these threats represent. In other words, you need to understand what you are protecting against and how it may affect your system or organisation in order to effectively mitigate those risks.

But I also reflected on the fact that, while there is a large body of knowledge and ‘best practice’ available in the IT world, it is nevertheless very rare to find any IT department in an organisation that is doing security well. The same can also apply in relation to government organisations; however, many of our federal departments have security ‘as their core business’ and are experienced at understanding threat and risk.

The Australian Nuclear Science and Technology Organisation (ANSTO) is a good government example - and also a rare one, in that it operates a nuclear facility and therefore operates an industrial control system, in addition to information systems.

Mitchell Hewes is the IT security officer for ANSTO, and he produces the internal standards, design guidelines and procedures on how cyber security is to be addressed while assisting with the design and implementation of critical systems.

I look forward to hearing their presentation, and I am sure that for those of you who are concerned about cyber security in your plants but are new to the concepts, it will provide a great overview and example case study for you to reflect on.

Straight after the presentation, I will be chairing a panel discussion on industrial cyber security where you will have a rare opportunity be able to listen to and engage in a Q&A with Mitchell and Nick, as well as industrial cyber security and cyber-terrorism consultant Dr Christopher Beggs, and Adam Rickards of DAANET/Secomea.

I hope to see you there, armed with great questions for these industrial cyber-security experts!