Content

2 minutes on…Securing energy facilities for the future

Companies that buy SCADA and other types of control gear for energy production centers will begin to ask for more robust defenses against online threats, said Alan Paller, director of research for the SANS Institute. Vendors, which generally have a friendly relationship with their customers, will agree to provide more secure systems, he added.

"For one, any attack against [control systems] will be just as bad for the vendor as for the customer," he said. "And [the vendors] know there is money to be made in all of this."

Paller cited BP as having updated their manufacturing centers and power plants in response to changing online threats. But much of the rest of the industry has operated in fear of knocking their systems offline if they patch networks.

"This is a whole industry operating under the perception that no one can touch their systems or they'll crash," he said.

Paul Dorey, vice president of digital security and CISO for BP, said vendors have awakened to the importance of online security.

"In early 2002, when we started discussing security architectures, accreditation and secure maintenance with process control vendors, we were met with a lot of blank silences. Progress has been significant. From a world where vendors told us that malware protection like antivirus or system patching were just not possible, we see most process control systems providers stepping up to the issue and treating security as a fundamental integrity concern. Several vendors are now even beating IT office system patching timetables as they know the implications in a process control world."

Dorey added that accreditation for corporations that stay ahead of the security curve is in the near future.

"The industry is now stepping toward positive accreditation where systems are tested with known testing technology," he said. "Systems that fail are required to remediate weaknesses as a contractual requirement."

Ernest Rakaczky, director of process control network security at Invensys Process Systems, said he believes vendors and buyers will work together for more secure infrastructure.

"We are controlling a major plant. That becomes a lifetime arrangement," he said. "Because of that, you have an integral part of the day-to-day business operations."

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.