It is common for most people to believe that technical solutions will take care of the security concerns and that their actions will have little impact. However, numerous security studies point to the fact that policy violations and social engineering are significant contributing factors in most security breaches. Rarely are these the result of deliberate malfeasance by the employee. Instead, they are usually because an employee or contractor did not understand the potential impact of his or her actions. Thus it is critical that any security program have a strong education program so that employees know both the how and the why of appropriate security behavior.
According to API Standard 1164, the owner/operator of a petroleum products operation should:
“Develop a communications and training policy to ensure that new, existing employees and contractors maintain a high level of awareness with respect to system threats and personal security responsibilities:
Have an understanding of the nature of information they are handling
Know how to safeguard the information
Know how to properly classify the information
Know how to report and respond to varying threat levels”
The reality is that most process industry environments are designed with production efficiency, safety and ease of maintenance as their main objectives. Enforcement of security procedures and policy can appear to have short-term counter effects on these objectives if not integrated effectively. Usually this occurs because the security objectives are designed in isolation from the other process objectives.
The Byres Research solution integrates security procedures and policy into the culture of production efficiency and safety through continuous training and education. Instead of looking at cyber security protection as a separate layer, it is made part of the standard safety and production priorities. The Byres Research team has extensive experience in this area and its CTO was selected to design all industry security and data communication training programs offered by the ISA. It has also designed and conducted security training programs for the US Department of Homeland Security, the US National Defense University and leading companies such as BP International.
At the same time, industrial automation systems and networks have key differences, which must be recognized and maintained for the systems to work properly. The Byres Research solution achieves the integration, while maintaining an awareness of the critical differences. The team’s extensive experience with control systems helps to assure the resulting solutions, from training and awareness to hardware technologies, do not adversely affect the operational features of the systems secured.
Byres Security Inc. and Byres Research
P.O. Box 178
Lantzville BC V0R 2H0
Phone: 250-390-1333
Fax: 250-390-3899
Email: info@byressecurity.com
