Management Must Lead On Cybersecurity

By Jamie Froedge, President, Emerson Process Systems & Solutions

“What is the value of lost production?” This question is at the heart of discussions that management has every day. We ask it as we prepare contingency plans to protect personnel, supply chains, and processes from risks. We ask it as we develop reliability strategies to keep assets running. We ask it as we develop safety strategies to keep our employees safe and out of harm’s way and protect our physical assets.

Reliable and safe operations are typically productive operations. Cybersecurity management is integral to operating reliably and safely. With the threat of cyber-related issues growing larger every day, it is critical that we integrate cybersecurity prevention and damage-mitigation strategies in the same way we’ve integrated and embraced safety, reliability, and production-optimization strategies. Effective cybersecurity strategies are a competitive differentiator because they drive healthy investment clarity and lead the organization to sustained, Top-Quartile production performance.

Assess your risk

Cybersecurity can seem complicated, filled with acronyms and technical lingo that often only a select group of folks in an organization understand. It is essential that all stakeholders achieve a common understanding of risks and strategic options by educating one another about the role each functional group plays in a successful strategy, and using language that is understandable across these functional boundaries. To accurately assess risk, an integrated and holistic view is necessary. Leaders can enable this by encouraging and sponsoring cross-functional communication and collaboration.

Viewing cybersecurity risk as binary, i.e., risk or no risk, can lead to unrealistic expectations and investment paralysis. Understanding the benefits of various risk-prevention and -mitigation actions can lead to a sustained investment roadmap with measurable risk-return ratios. Given the dynamic nature of cybersecurity risks and the relatively long timeframe in which most plants operate, there are numerous opportunities for incidents to occur. This makes risk-mitigation strategies as important as prevention. Reducing what could be days of impact to hours can represent millions of dollars of difference on the bottom line.

Preparing to respond

Best-in-class cybersecurity is about more than building systems and processes to prevent a disaster. When the worst happens, organizations must be able to implement prepared strategies to mitigate damage. Rather than spend precious minutes, hours, or days figuring out what is happening and determining an effective response, organizations must have a robust, well-rehearsed plan of action they are ready to execute at any time. Most have plans for other types of risks, including floods, earthquakes, fire, or human-related security events. We see fewer organizations with such plans for cyber events, yet the risks are often higher and more probable.

Being prepared to mitigate a cyberattack means having the capacity to quickly detect an intrusion and efficiently and effectively end the threat. Written plans, encompassing various scenarios that can be used in drills and simulations, help prepare teams.

In addition, it is important to look outside the organization for areas in which the company cybersecurity posture can be improved. Companies should set standards that hold vendors and partners accountable for maintaining cybersecurity protection in all interactions.

Having clear policies in place when working with vendors—starting in the earliest stages of project development—helps the organization and vendor deliver more-secure projects. Performing an internal and external vulnerability and damage-
mitigation assessment is a good first step toward best practice.

Illustration shows levels and factors involved in a cyber-hardened control and safety system.

Responsibility at the top

Cybersecurity awareness and prioritization at the board-of-directors level is at an all-time high. In many cases, it’s equally high within the group’s managing operations. Still, we often see a disconnect regarding levels of required investments and how quickly they need to be made. New cyber attacks are emerging constantly, and budgets are approved less frequently. This incongruity can hamper timely investments for future, sustainable growth.

Aligning incentives so operations can make essential cybersecurity investments today and ensure uninterrupted production is imperative. At Emerson, we invested in advanced training for our control- and safety-systems product-development team so they can design applications to be inherently secure, write code using secure development practices, and include threat analysis in the development process. This added cost to a previously approved budget, but we are confident it was necessary and will pay off for us—and our customers—in the long term.

Leadership

Organizational leadership plays a multifaceted role helping manage cybersecurity. We must understand the risks of cyber threats from a cost, safety, and reputation-loss point of view. This makes it easier to communicate the impact on the organization and align budgets and incentives accordingly. We need to build a cybersecurity-aware corporate culture that includes well thought-out protections and responses to incidents that could occur, while simultaneously helping our personnel protect themselves and their plants. A strong strategy positions organizations to adopt advanced and connected technologies that enable more competitive, cost-optimized operations. With a strong cybersecurity culture we can look to the future while continuing strategic conversations about cyber issues, secure in the knowledge our discussions will lead to a strengthening of the organization’s posture across the lifecycle of its operations. EP

New Standards, Better Security

By Emerson Automation Solutions

Cybersecurity demands constant progression, and with each release of the DeltaV control and safety system, Emerson continues to harden and certify its automation system. DeltaV version 14 will mark the next major leap in securing automation systems by certifying to the ISASecure System Security Assurance (SSA) Level 1 requirements (isasecure.org). This will demonstrate that an independent third-party verified that DeltaV version 14 meets or exceeds cybersecurity requirements for three significant ISA/EIC 62443 standards: Secure Development Lifecycle Assurance (SDLA); controller/endpoint hardening; and overall system security requirements.

By hardening DeltaV version 14 to meet or exceed ISASecure SSA Level 1 requirements, Emerson is ensuring the latest release of its automation system will continue to deliver cybersecurity values that matter most to end users: availability, integrity, confidentiality, incident response, account management, and network/communications security. Having the ISASecure SSA Level 1 certification for the overall system demonstrates Emerson’s commitment to invest in the hardening of the control and safety system, not just individual components.

ISASecure SSA certification also recognizes that DeltaV controllers and other endpoints in version 14 are tested to verify that the system is defensible against common network cyber-attacks such as denial of service and malformed input attacks. In addition, it certifies that Emerson has processes that incorporate security into the design, implementation, testing, and documentation of the automation system and its components. Being certified also means that Emerson has processes in place to fix cybersecurity issues that are discovered after the software and hardware in version 14 is released and in use.

The ISASecure SSA certification complements the overall cybersecurity products and services offered by Emerson for DeltaV systems which include: antivirus, whitelisting, perimeter firewalls, security information and event monitoring, network monitoring, removable media scanning, and backup and recovery.

Managed services are available for many cybersecurity solutions through Emerson’s Guardian Support, enabling Emerson to manage operating-system patch testing, provide support for antivirus signatures, and automate security patches for issues that arise after release.

Emerson continues to invest with expertise, engineering, and innovation to provide long-term protection for your industrial-control-system investment and your facility’s production and operations. The comprehensive cybersecurity solutions, which include certification, defense-in-depth, and cybersecurity system services, are developed to strengthen your cybersecurity posture so you can meet your goals for an available, safe, and secure operation.