Awareness and training; Monitoring and incident response; System development and acquisition; and Interconnectivity of critical and non-critical systems.Oh, yes; I was particularly impressed that Andrew discussed “Business continuity and disaster recovery” and did not resort to using the current buzz word, ‘Resiliancy’. He does note that a good “cyber-security posture should include planning to ensure continuity of operations and facilitate restoration of all critical cyber assets”. In my mind this disaster recovery is especially important when the facility cyber assets can potentially control the release of toxic chemicals, prevent mixing of incompatible materials, or maintain safety-critical storage conditions. If these 13 challenges were all that were contained in this article it would be a valuable information source for CFATS security managers. But Andrew provides a special bonus in a side-bar entitled: “Field Surveys Provide Troubling Findings”. He provides a summary of cyber security information that Industrial Defender has compiled from critical infrastructure assessments that they have done over the last couple of years. The three “widespread cyber-security issues” will point cyber security managers at important potential flaws in their security posture that are well worth looking at. I certainly recommend that all CFATS security officers and cyber security officers read this informative article. Once again, a single article will not make you a cyber security expert, but it will give you an appreciation of the potential problems and allow you to talk to a real expert without feeling foolish.
Wednesday, April 28, 2010
Cyber Security Article
Twitter® is becoming a very valuable tool for finding articles of interest on the Internet. Many writers are posting notices of their articles on Twitter (like I have been doing for over a year now) and other writers and info gatherers re-tweet those notes. That’s how I found this article on ChemicalProcessing.com. It is an interesting look at cyber security for industrial control systems at CFATS facilities written by Andrew Ginter, of Industrial Defender. The article provides some valuable advice for dealing with Risk-Based Performance Standard 8, Cyber Security. It provides a list of 13 “Key Implementation Challenges” with a brief discussion of each. They range from having a security policy to using a layered approach to security design. There are a couple that deserve special mention and I recommend reading the author’s description: