ZIFFPAGE TITLEManaging Risk, Not EliminatingBy Baselinemag | Posted 2006-09-13 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Air Products' Cheryl Flannery provides new insight into securing information and manufacturing systems.It">
Managing Risk, Not Eliminating It
Q: You've given us some tipsdoing vulnerability assessments, applying risk management techniques. What other steps have chemical companies taken that other companies would be wise to follow?
A: I think the key theme is that, similar to physical security, you need to have layers of protection. It's not just one thing that will keep intruders out and keep you safe.
Just [as] in the old mind-set of physical securityyes, it helps to have a lock on the gate, but that's not going to prevent everyone from possibly breaking in and stealing something. Make sure you have strong passwordsand some type of monitoring for activity that looks like it may be an issue.
[Another] area where we could focus more is doing more planned and unplanned drills. On the physical side, they do many drills, [such as] if an incident were to happen at a plant or an [accident with] a truck, transporting goods.
I don't think we in the [computer security] industry do enough drilling with either a cybersecurity incident or a blended attack. I think more attention needs to be given to actually planning drills.
Q: And this would include setting up a disaster scenario and then seeing it through from first alerts, to response, to problem resolution?
A: Right. The chemical industry has very robust crisis management processes and structures in place to deal with various crises. I think a key improvement would be to actually incorporate cybersecurity, information security, manufacturing control security into that crisis management process. So we look [more broadly] at the type of crises you could have, and to make sure we are addressing the information security and cybersecurity component.
Q: So the bottom line?
A: Thinking about security as we do safety.
It's really about [managing] risk, not eliminating risk. And trying to have a more robust risk management process in place so that we're looking at our overall risk and trying to manage it as appropriately as we can.
Another key thing is sharing information across the industry so that we're all better protecting ourselves.
Flannery's Five I.T. Security Tips
* Assess Vulnerabilities