Demystifying Cybersecurity

Part I

Matt Malone - Systems Consultant

White Paper
WP-S-20220614-01
Copyright © Yokogawa Electric Corporation
Table of Contents
What is Cybersecurity anyway?....................................................................................................................................................................... 3

Change your thinking....................................................................................................................................................................................... 3

Start now and start small................................................................................................................................................................................. 4

Build a cross-functional team.......................................................................................................................................................................... 4

Stay tuned.......................................................................................................................................................................................................... 5

2 www.yokogawa.com
What is Cybersecurity anyway? Change your thinking
Cyber Security for industrial control systems requires The first step in demystifying cybersecurity is to change
a holistic approach to evaluating all possible risks the perception of what you think it is and what it does.
and implementing tools and systems so those risks The concept of cybersecurity is not to fix something
can be mitigated. If there happens to be a breach, that is broken. For example, consider your company’s
baked-in protection of your mission-critical systems, health, safety, and environmental (HSE) program. The
plant operations data, and networks will save you existence of this program is to monitor and decrease
from costly shut-downs and proprietary data leaks. the risk of injury and environmental accidents. It is an
This article will cover three parts: thinking, steps, ongoing evolution of practices that keeps employees
and teams for people implementing new cyber healthy and the local ecology safe from human
programs or individuals looking to mature existing interference.
cyber programs within their companies.
This view of a company’s HSE program should be
a reference point in implementing an industrial
cybersecurity program. While you may choose
to implement certain solutions and policies, the
cybersecurity program is an ongoing journey to reduce
the risk of attack from a cyber threat to exploit system
vulnerabilities. The cybersecurity program should
evolve and mature over time in order to reduce the
amount of risk leveraged against the site.

www.yokogawa.com 3
Start now and start small Build a cross-functional team
With this new concept of industrial cybersecurity in Let’s say you’re a person on site wearing more than
mind, let’s take a look at planning the first step. one hat and recently found yourself in charge of the
A general first step for any new cybersecurity OT (operational technology) cybersecurity program.
program is for a site assessment. This is my recom- Reach out to fellow coworkers in HSE and emergency
mendation and also that of many industry and management. Why, you may ask, should HSE care
international standards. However, circumstances for about cyber? In many plants across the globe the
the demands of control systems may be different chances are high that many caustic substances under
and an assessment may not be feasible. Regardless, pressure could potentially be released because of a
a cybersecurity assessment, or other comparable cyberattack. The ever-increasing threat of ransomware
service project, should be considered as a paramount attacks that can shut down sites for days on end means
first step. that cybersecurity has a place within a company’s
disaster recovery plan (DRP) and business continuity
If you are the sole cybersecurity engineer with the
plan (BCP).
weight of the entire program on your back, then
do not try to implement everything all at once. Another positive aspect of including coworkers from
Chances are your site won’t have the budget or labor HSE and emergency management is a cohesive team
resources to implement all the solutions you have in has a better chance of success soliciting project funds
mind. However, cybersecurity risk assessments can from management. OPEX and CAPEX budgeting that
be done inexpensively, quickly, and with little to no is attributable to more than one division shows a plan
impact on operations. This first step may be a small of reduced risk and increased safety with documented
one but it can provide the site with an idea of the risk contingency plans are hard to say no to.
that is leveraged against you and prioritize future
cybersecurity projects.

4 www.yokogawa.com
Stay tuned
Now you may be asking, what about antivirus,
whitelisting, and other solutions to avert a threat?
These will all be addressed in Part II. For now, it is
important to understand that the future success of
a new OT cybersecurity program rests on a proper
foundational understanding of how these solutions
should be applied and updated over time.
Otherwise, these solutions could be haphazardly
applied with the real possibility of completely
failing to reduce the risk of a cyberattack.

www.yokogawa.com 5