Meet Rob Turner as he presents ‘Assessing Security Risk in an Industrial Control Network’ at the ISA Ireland Cyber Security for Process Automation conference, Cork on 13th April 2018.
Abstract
How do we assess security risk for an industrial control network? There are some well-established methods such as the NIST Cyber Security Framework but they tend to focus on the security of information, not the security of a company's control assets.
At first sight this would appear to be an immature area with little in the way of practical guidance available. Yet we are very familiar with assessing risk when it comes to functional safety so perhaps we already have a framework we can work from? Edition 2 of IEC 61511, the standard for functional safety for the process industries, mandates the assessment of security risk as part of an overall integrity assessment so perhaps this provides us with some clues?
- What can we borrow from elsewhere?
- How do we properly assess the consequences for a control or information system?
- What does 'likelihood' mean when we are talking about industrial cyber security?
- Can we actually quantify risk in this context?
Security risk assessment for an industrial control network appears to be on the fault line where the disciplines of IT security, OT security and functional safety collide. This is the author’s personal view on where these disciplines overlap and how they could be combined to provide a suitable assessment method.
Presenter: Rob Turner BSc (Hons) CEng MIET GICSP
Rob is the Team Lead for Yokogawa’s Advanced Solutions group in the UK and a practising consultant in industrial cyber security. In a career spanning over 35 years Rob has been actively engaged as both an engineer and a technical consultant in control, automation and industrial IT. He has been involved in industrial network security since before it became a major issue and is currently engaged in gap assessments and improvement planning for clients in numerous industry sectors. At the beginning of 2017, he became a qualified Global Industrial Cyber Security Professional (aka GICSP) through the SANS Institute.
