Let's talk about introducing security

By Toby Weir-Jones

Automation system integrators earn their bread and butter staying on top of all the evolving solutions across the control systems space.  No longer limited to hardware, it has spread to cover a wide range of software tools, specialized interfaces with physical assets, and staff training around policies and procedures. 

These systems evolve over time and, even in relatively small environments, become complex. Documentation may exist, but even if it does,
it may not reflect every detail; a certain belief in institutional knowledge among the skilled staff and supporting individuals always helps fill
in any rough edges when decisions must be made.

Real talk

When confronted with someone like me — a security solutions provider — it’s easy to question how adding something new, which doesn’t
change the automation activity itself, but adds more detail that must be tracked and potentially changes the reliability of the plant, can
provide an overall benefit to your customer. I’ve been adding wrap-around security solutions to existing networks for over 20 years, and I’ve
had that conversation with people countless times.

It usually goes something like this:

Customer: Your widget is another point of failure, and I don’t know how to use it. It’s going to make my world harder to manage and create questions around whatever results it produces.

Me: That’s only true if you’re directly managing the risks I address already, and my solution is somehow worse than whatever you’re doing. In fact, you’re not doing anything about that risk today at all; it’s just blind luck that it hasn’t come home to roost.

Customer: Ok, but I don’t know anything about how your widget works and what I’m meant to do with it. How can I make it successful? I don’t really understand all the detail of what it’s going to do, let alone how my people will take advantage of that.

Me: Therefore, you work with trusted providers. Your expertise is in your industry and your customers. A good security solution stays out of the way of that, while protecting your foundations in various ways. Imagine you run a restaurant. You may not have carpentry skills, but you want to ensure your chairs don’t collapse when customers sit down. How do you decide what furniture to buy?

Customer: I work with a trusted supplier. They know what questions to ask, and what I can afford, and come up with the right mix.

SIs are the critical link

And that’s exactly the point. Security is necessary because it helps you keep things running, maintains operational performance and reduces the risk of your customer falling on the floor if the chair collapses. How we do it on a daily basis is less important than you having access to transparency and validation when you need to make your decisions. Once you’ve cleared that hurdle, you’ll move on to other priorities, and I’ll work on my tasks. We’ll talk again soon enough, and I’ll update you on how it’s going.

Bayshore Networks joined CSIA because we believe integrators are the critical link in this relationship. Yes, of course, we believe we have valuable security tools for industrial environments, but we know there’s no such thing as a one-size-fits-all approach in this business. 

We want to engage with the integrators directly and learn about customers’ needs and concerns. Some of them face upcoming regulatory changes and some may have tried things in the past with varying degrees of success. Some have simply hoped nothing bad would happen to them, but that’s not a responsible business strategy.

Like their own businesses, industrial control system security is a serious discipline, which requires significant expertise and technology.

Therefore, it’s essential you choose partners with experience working with the most demanding customer environments imaginable and a product set that has been distilled into more transactional tools for “normal” environments, without sacrificing the core capabilities. 

It’s a long-term trust-based relationship, so a measured approach is critical to success.