There exists a sizable knowledge and culture gap between the engineering disciplines responsible for the safe and reliable operation of process plant on the one hand, and information security professionals on the other. This gap inevitably results in the implementation of inappropriate security measures either by engineers with limited knowledge of security management or security professionals who fail to appreciate the potential impact of countermeasures on plant operations and safety.
This talk provides a practical guide for information security professionals looking for a better understanding of the differences in approach between their field of expertise and managing and implementing cyber security systems in industrial process facilities, such as oil and gas, power, process and water. While covering this topic the presentation explores a number of concepts alien to pure information security such as:
• The key conceptual difference in approach to control system security;
• CIA vs PEAR, and the asset base;
• Extended Denial of Service (EDOS) attacks;
• The value of information stored on industrial control systems;
• Understanding generic control system architectures;
• Identifying industrial control system components;
• How control system hardware and software differs from mainstream IT platforms; and
• The role of existing functional and process safety risk management in security.