The Future of Industrial Security and Compliance  
 
 
Have you found yourself asking questions like these?
     
  • Am I compliant?
  • What do I need to do to become compliant?
  • What standards and regulations am I required to comply with?
  • Am I secure?
  • What do I need to become secure?
  • Is a cyber vulnerability assessment (SVA) enough?
  • How do I determine what assets are critical?
  • What is the difference between an Audit, Assessment and Analysis?
  • Can I be held liable, and if so, what for?
  • How can I improve communication and relations with IT and across other departments?

 

As operators continue to deal with the increased demand for information about critical processes by implementing Commercially Off-The-Shelf Software (COTS), connecting to the Enterprise layer and migrating toward IP-based networks, reliability and security become increasingly more of a challenge. In addition to the external requirement for near "real-time" information, operators must deal with increased Security threats and compliance issues. As a result, industrial process control systems and networks must be continually updated to address existing and emerging security and compliance concerns. Staff members involved in this process must overcome the "set it and forget it," mind set that often permeates process control envirnoments, the priority discrepencies and communication issues that often occur between the process control group and corporate IT, and a growing number of ambiguous security standards and Industry best practices, guidelines, standards and regulatory requirements.

Unfortunately, there is little agreement on exactly which standards to follow or which ones will be enforced. Even in more regulated industries, such as the Electric Utility market, it is still a challenge to maintain security while complying with these requirements due to their lack of technical insight and agreed upon guidance. Many of the current standards and guidelines available address cyber-security issues while ignoring physical attack vectors (which can also lead to control system cyber access), operational considerations and legal issues. In some cases, current industry accepted practices can actually create liability.   

Having a Process in Place is the Key

Security and Compliance are moving targets. When it comes to passing an audit or surviving an incident, having a process in place is the key. Actual audits and litigation trials have shown that, even in such an ambiguous and highly interpretive industry such as industrial security and compliance, organizations that have preformed the necessary due diligence and have a process towards security and compliance in place have faired much better than those that do not.

What is CiSACS?

CiSACS is, in short, a process. Its specific methodology designed to maximize security and achieve regulatory compliance within industrial markets such as Utility (Electric and Water), Energy (Petroleum, Natural Gas, Wind, Nuclear, etc), Manufacturing, and any other organization that relies on process control, automation and SCADA technologies.