Through one
of the many newsletters I receive, I came across a great document
from Emerson called “Cybersecurity Guidebook for Process Control”. It has a
simple purpose, which certainly isn’t new: to summarize in one short document
everything that an organization needs to do to secure the process control
systems in an industrial plant[i].
What is new
is how successfully Emerson has achieved that purpose. Every other document
that I have seen that attempts to do this has been essentially a list of best
practices, without an understanding of the overall goal to be achieved and how
the individual practices help to achieve it. Emerson’s guidebook starts out by
stating that cyber security is an organizational risk, and must be addressed
using a risk-based approach. The rest of the guidebook follows very naturally
from this statement. It is divided into five sections – each generally a
security domain like remote access. In each section, Emerson describes
something you should start doing, something you should stop doing, and
something you should continue doing.
Of course,
I’ll promise there’s nothing in here you haven’t heard already. But I highly
recommend you not skim through the guidebook for that reason. I ended up
reading it twice, and literally stopping to think about each sentence. Whoever
wrote this (my guess is it was a team) put a lot of work into crafting each
sentence, and there is a lot packed into each one. What they’re recommending is
obviously based on a lot of experience. They have clearly put a lot of thought
into what are the most effective (and the least effective) practices.
Enjoy!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
Tom Alrich LLC can help you with NERC CIP issues or challenges like what is
discussed in this post. To discuss this, you can email me at the same address
or call me at 312-515-8996.
[i]
Even if you don’t have responsibility for securing a generating plant, I still
recommend you read this. There is almost nothing in there that doesn’t apply to
substations as well. If all you’re concerned about is control centers, this
might be less relevant for you – but I still recommend you read it!
No comments:
Post a Comment