By Eric Cosman, Co-Chair MESA's Cybersecurity Working Group
The subject of industrial cybersecurity has been a topic of considerable interest for well over a decade, particularly with respect to the potential implications for the protection of critical infrastructure. Standards exist at the industry, national and international level, but these are often of little practical use to the typical asset owner without additional professional guidance. Several groups and organizations have stepped forward to provide such guidance, often directed at a specific industry sector. To a considerable degree, these guides and similar documents then restate or reinterpret the same or similar principles, without adding much in the way of new or fresh insight.
The result of all of this interest and activity is that we are faced with a tremendous amount of information; so much that the quantity itself can become a significant impediment for those trying to address specific challenges related to industrial cybersecurity. A quick Internet search on the subject can result in literally thousands of references, leading to considerable confusion.
Even with all of this information, there are still reports that not enough is being done to address the evolving risks to these systems. Perhaps we could describe our situation by paraphrasing a famous quotation:
“Everybody talks about the weather, but nobody does anything about it.”
– Charles Dudley WarnerHow can we explain this apparent dichotomy? On one hand, we can quite easily reach out and get a tremendous number of articles, guidelines, whitepapers and other sorts of document in the public domain. Yet it appears that people still feel that they need something more.
The MESA Technical Committee has chartered a working group to investigate the topic of industrial cybersecurity and identify what is needed by the MESA membership in this area. After the group was formed, there was an immediate consensus that work products should deliver new if not unique value, and not simply add to the confusion. In order to address a range of needs the group will offer information in several forms, including blog posts (such as this one), whitepapers and perhaps webinars.
Topics suggested thus far include:
- The Business Case for Proactive Cybersecurity and Risk Mitigation
- Secure Design Practices for Industrial Cybersecurity (in the form of case studies)
- An Overview of Available Cybersecurity Tools and Their Application (NOT specific products or suppliers)
Eric C. Cosman
About the Author
Eric C. Cosman provides consulting and advisory services in the management of information technology solutions in Operations and Engineering. He has contributed to various standards committees, industry focus groups, and advisory panels. He is a past vice president of standards and practices at ISA and is currently a member of the ISA Executive Board and co-chair of the ISA99 committee on industrial control systems security.