Through one of the many newsletters I receive, I came across a great document from Emerson called “Cybersecurity Guidebook for Process Control”. It has a simple purpose, which certainly isn’t new: to summarize in one short document everything that an organization needs to do to secure the process control systems in an industrial plant[i].
What is new is how successfully Emerson has achieved that purpose. Every other document that I have seen that attempts to do this has been essentially a list of best practices, without an understanding of the overall goal to be achieved and how the individual practices help to achieve it. Emerson’s guidebook starts out by stating that cyber security is an organizational risk, and must be addressed using a risk-based approach. The rest of the guidebook follows very naturally from this statement. It is divided into five sections – each generally a security domain like remote access. In each section, Emerson describes something you should start doing, something you should stop doing, and something you should continue doing.
Of course, I’ll promise there’s nothing in here you haven’t heard already. But I highly recommend you not skim through the guidebook for that reason. I ended up reading it twice, and literally stopping to think about each sentence. Whoever wrote this (my guess is it was a team) put a lot of work into crafting each sentence, and there is a lot packed into each one. What they’re recommending is obviously based on a lot of experience. They have clearly put a lot of thought into what are the most effective (and the least effective) practices.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. To discuss this, you can email me at the same address or call me at 312-515-8996.
[i] Even if you don’t have responsibility for securing a generating plant, I still recommend you read this. There is almost nothing in there that doesn’t apply to substations as well. If all you’re concerned about is control centers, this might be less relevant for you – but I still recommend you read it!