ZIFFPAGE TITLESecuring an Older IBy Baselinemag | Posted 2006-09-13 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Air Products' Cheryl Flannery provides new insight into securing information and manufacturing systems..T. Infrastructure">
Securing an Older I.T. Infrastructure
Q: You mentioned working with the vendors to get them to build in more security to their products, but with the type of systems used in chemical plants, that presents its own challenges, doesn't it?
A: If you look at the operations of a chemical plant, you may have a plant that is running for years and years without a shutdown. And many of these systems are operational for 20 to 25 years. So many companies don't want to spend the money to upgrade to a newer system.
Plus, it's more challenging as well for the vendors to be receptive and open. The [software] life cycle is not as quick as [for] some of the business systems software, where you have frequent releases.
Q: I haven't heard of any major incidents in which a chemical plant manufacturing system was compromised. Does that make it tougher to convince people to maintain a level of urgency?
A: One of the biggest preventative techniques you can use is awareness education. What we've done in the chemical sector program, as well as within many of our chemical companies, is provide some awareness of different incidents that have happened. We'll go back to incidents that actually happened in other industries that use automated systems.
So, for example, when the Slammer [worm] hit back in 2003, there was actually an [infection] at a nuclear power plant. There was also [an incident] back in 2001 where a hacker got into [the systems for] the port in Houston. I think people are surprised that incidents can happen and that they do happen.
Q: And the challenge as you go forward?
A: I think the challenge going forward is to really make sure that we continue to be vigilant. The threats are always changing. And the vulnerabilities are always changing. So it's not a once-and-done program that you can say you did these specific initiatives and now you're OK.
It's really a matter of keeping up with the latest protection. With every new technology that comes out, it also brings with it a potential for weaknesses. So as you're introducing new technologies, make sure [you're aware of the] possible threats and make sure you're putting the appropriate steps in place.
For example, [take] the increased usage of wireless, not only in the business environment but also in the manufacturing arena. Companies need to make sure that as they introduce wireless, they are doing it in a secure manner.
Q: A big part of that is risk management, is it not?
A: We're really trying to understand where our greatest risks are and where the greatest impact is, and [then] make sure we are focusing our efforts appropriately.
I think that's what companies need to do individuallyto say: What are our risks? And how should we be spending our resources and our money and so forth to protect things?
As we are continually challenged for service levels and uptime of systemswhere we have systems and plants that don't shut down for many, many yearshow [do you] continually improve your processes so that you can more efficiently apply patches and so forth and not have it impact service levels? We continually need to enhance our processes and be able to account for that.
The chemical industry, in general, has had very strong continuous improvement programs across the industry. So whether you're using Six Sigma or lean manufacturing or continuous improvement, there are different techniques that you can use. And what many of our companies are doing is trying to apply those same principles to actually take a step back and look at a process end to end, and try to remove waste and inefficiencies in that process. And if you use patching, for example, that's no different. You can actually apply a number of those techniques to find out where there might be waste in the process and really reduce the overall cycle time implementing patches, for example.
NEXT PAGE: Managing Risk, Not Eliminating It