Is your management showing interest in control system cyber secuirty

This is a long answer and it has piqued my interest. One has to ask how management works to answer this question. Why would management fork out any sum of money is to generate more profit or to protect existing profit. For the second question, they ask the follow-on question, what incidences have been seen in our plant or in a plant in the same industry and finally of less interest, issues in a related industry, that indicates the need to take action, in effect whats the "burning platform". I am from the Oil and Gas industry and while i do not ever hope to hear of a nasty incident occuring in the industry, even with the (few and) scattered incidences, i do not see a burning platform. In addition for most of the older operating plants, legacy (and hacker/virus proof) software are still present. If a hacker finds his way into one of these systems (after he has broken probably the corporate/company/control systems firewalls, in the first instance he would be seeing greek coding (no offense to those who speak greek). Further we are talking what happens if its ethernet-based or if he could understand "greek", next he really has to understand control coding and worse safeguarding coding. To do real damage in a process facility he can do his damnest in the control system, but a well designed process would shutdown via a separate safeguarding system (oh, which by the way is usually not connected (all the time at least) to the businees network). What makes matter even more trying for the potential "hostile" is that he would have to get into the control system and then into the safeguarding system (both potentially with their own "greek" language/systems. To make matters even more difficult, he would have to have a damn good understanding of the process to be able to cause serious problems. So at end, we are looking at a person with superb process knowledge, fantastic control system engineering expertise and good IT/hacking expertise all rolled into one. Are there people like this, sure, a few. Should we be worried, well yes, i think we should "start" to get worried. But in managemenet, worry is like a pyramid, if there is a substantial amount of worry at the workfloor level, it eventually trickles to management. Is it happening now, the answer, not as much as it probably should.

A cyber security system is only as good as the people who use it, and it doesn't take a clever hacker to get around foolish people. One wonders how many unauthorized entry points (modems or other) have been installed on the lowdown to allow otherwise well-meaning plant people to access the system from home or elsewhere.

I am sure many of the companies have experienced atleast one significant cyber attack on their I.T. infrastructure. That experience along with internal security auditing processes prompt an automatic extension from looking at just I.T. to Process Control Systems. Stopping physical access should always be the first step (I.D. badges for entry into the plant, combination locks on doors where process control computers are located etc). The next level of protection will be userid and passwords and additional hardware (firewalls etc).

In my experience the driving force for control systems cyber security has been due to (a) learnings from I.T. department's experiences (b) what we read in the news media. Acceptance within management ranks is fairly good because they do realize that there could be loss of production(down time) and loss of assets (hard drive crashes, lost time, overtime paid etc).

I can say from looking at the analytics from the Emerson Process Experts blog that cyber-security posts are some of my most widely visited posts.