DeepSec 2018 Talk: Can not See the Wood for the Trees – Too Many Security Standards for Automation Industry – Frank Ackermann
“Plant operators and manufacturers are currently faced with many challenges in the field of automation.”, says Frank Ackermann. “Issues such as digitization, Industry 4.0, legal requirements or complex business processes that connect IT and OT are paramount. Related security problems and risks need to be addressed promptly and lastingly. Existing and newly created industry security standards (such as 62443, 61508 and 61511, 27001, …) are designed to help to improve security. But do the different approaches of these standards fit together? Are managers of the companies and manufacturers supported or rather confused by them? The presentation provides an overview of the key security industry standards, discusses the dependency and coverage of the standards, and aims to encourage discussion about if the standards optimize general security in industrial control systems.”
We asked Frank a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- De-confuses many security standards in the automation industry
- Discusses not only 27001
- 62443 or Yoga does not solve your security problems in the automation environment
- Lists pros & cons
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
By starting in the automation industry, I was heavily confronted with all the different standards and their ways on how to implement. Having in mind, that several plant responsible(s) have no background in IT/operational technology (OT) security, I realized that they might feel overrun by these requirements and standards.
Why do you think this is an important topic?
Just imagine: plants for water conditioning are manipulated or power grids are over and over instable due to ‘Cyber’ security incidents. International standards can support companies to setup their security organization and find the best processes to prevent incidents.
Is there something you want everybody to know – some good advice for our readers maybe?
First think, then act.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
The future in automation becomes more and more connected. This leads to a larger attack-surface. The industry has to overthink the current operational models to become more secure – this will be accompanied by tailor-made security solutions for the automation industry.
Frank Ackermann has been active in the field of IT and information security for over 15 years. At renowned international companies, he worked in the core security team or examined the implementation of security solutions. Modern business processes today require a bridge between an industrialized automation environment (OT) and classical information technology (IT). This means that processes, organizations and technical measures should be designed holistically and inherently secure. All parties involved must work continuously on this.