WingBlog

A few months ago, while attending a conference on “Cybersecurity for Process Control,” we heard a question from a very smart network engineer at Cisco that got us thinking.  He asked: “Why not just apply the already developed practices and technologies from information technology security to plant floor security— isn’t that good enough to solve the problem?”  A week later, an IT security specialist said: “None of this would be a problem if those plant floor people just used proper security policies.  What’s wrong with them?” Both of these questions are valid.  In the dozens of industrial cybersecurity incidents we’ve investigated over the past five years, had the facility followed good IT security practices in network design, password handling, and access controls, virtually none of the problems would have occurred.  So why don’t we just deploy the standard IT practices for our process control systems and stop making such a big deal of plant floor security?  Are process engineers so stupid, lazy, or stubborn that they won’t just do what IT says?  Process engineers are certainly not stupid, lazy, or stubborn (OK, there are a few exceptions).  Certainly some don’t deploy the proper IT security measures because they don’t understand them, but most hesitate because they sense that somehow many IT practices don’t mix well with the plant floor environment.  And they’re correct, for four very good reasons.