Efficient Plant March 2021 - 14

feature | network security

The level of risk that is appropriate for your systems and to what level you want to qualify that
risk will be different for each supplier.

depending on the supplier, i.e., a supplier
of boxes may be assessed differently than a
company that supplies the operating system
that controls all of your operational technology (OT) or SCADA systems.

FINDING A LEVEL
This nuance of security level, along with
assurance level, speaks to another need
when assessing the risk of your supply
chain-that of ensuring comparability. Most
companies will have many, many different
suppliers and it's reasonable to consider the
security risk for each differently. However,
this is only possible when there is a sufficiently similar method of assessment used,
so that comparisons can actually be made.
Trying to compare the output of different supply-chain assessment programs, or
even the same program/standard assessed
by different people, introduces additional
complexity into the process.
To this end, a standard process should be
determined and established for all suppliers.
This may include a determination that no
assessment is necessary or that the cost of

14

EP2103ful.indd 14

| EFFICIENTPLANTMAG.COM

risk assessment is higher than any expected value in determining the actual level.
As long as an assessment is consistently
applied, you can have confidence in an
apples-to-apples comparison.
The difficulty is, of course, knowing how
to establish this process and what levels and
decisions are appropriate for your company.
Several standards exist for security assessment, including the NIST Cyber Security
Framework, ISO 27001, and IEC 62443.
Aligning with these makes a lot of sense.
There remain, however, subjective aspects
to these programs, as many of the controls
are risk based and that risk is determined by
the individual companies, which brings us
back to differing interpretations of secure.
Seeking independent, third-party, expert
help to filter this into something that makes
sense for your organization is strongly
encouraged.

TIME HEALS ALL WOUNDS
How long should all of this take? The " step
0 " should probably give you some indication of that; management buy-in is required

for a reason, and that reason is seldom that
the process is quick and easy. We're slowly
moving toward a world where legislation
and industry requirements are mandating
levels of security that are appropriate for
various manufacturing verticals. Although
familiar with safety standards, much of the
industrial sector has not had to deal with
this type of mandate until now and working
through the complexity of supply chains to
determine the specific aspects of risk that
are involved in any individual product is
going to take time.
This is exacerbated by the cascading
nature of today's supply chains. A single subassembly, automation system, or
SCADA point of presence on any network
segment may introduce a whole new supply
chain itself, for the software and subcomponents that it uses, the remote connections it
may have, and the other systems to which
it interfaces. It may not be an intractable
problem, but the complexity cannot be
understated. Unfortunately, we are unable to
simply cut through this Gordian knot and
start again, so we have to patiently unpick
the individual strands one at a time.
But the knot can be untied. We can
provide more transparency into our supply
chains and, with that transparency, more
understanding of the risk. It's likely that a
new program started today will take years
to come to full fruition, but value can be
harvested much sooner than that. Building
out a program that is not only effective but
designed for a range of results that can be
made use of as soon as possible is definitely
the best practice. EP
Andrew Jamieson is Director of Security and
Technology at UL, Northbrook, IL (ul.com).
He has worked with the security of embedded
systems for more than 25 years and helped
create the UL IoT Top 20 Design Principles
to inform manufacturers about best practices
that secure their devices from attack.

MARCH 2021

3/1/21 9:25 AM


http://www.ul.com http://www.EFFICIENTPLANTMAG.COM

Efficient Plant March 2021

Table of Contents for the Digital Edition of Efficient Plant March 2021

Efficient Plant March 2021 - Cover1
Efficient Plant March 2021 - Cover2
Efficient Plant March 2021 - 1
Efficient Plant March 2021 - 2
Efficient Plant March 2021 - 3
Efficient Plant March 2021 - 4
Efficient Plant March 2021 - 5
Efficient Plant March 2021 - 6
Efficient Plant March 2021 - 7
Efficient Plant March 2021 - 8
Efficient Plant March 2021 - 9
Efficient Plant March 2021 - 10
Efficient Plant March 2021 - 11
Efficient Plant March 2021 - 12
Efficient Plant March 2021 - 13
Efficient Plant March 2021 - 14
Efficient Plant March 2021 - 15
Efficient Plant March 2021 - 16
Efficient Plant March 2021 - 17
Efficient Plant March 2021 - 18
Efficient Plant March 2021 - 19
Efficient Plant March 2021 - 20
Efficient Plant March 2021 - 21
Efficient Plant March 2021 - 22
Efficient Plant March 2021 - 23
Efficient Plant March 2021 - 24
Efficient Plant March 2021 - 25
Efficient Plant March 2021 - 26
Efficient Plant March 2021 - 27
Efficient Plant March 2021 - 28
Efficient Plant March 2021 - 29
Efficient Plant March 2021 - 30
Efficient Plant March 2021 - 31
Efficient Plant March 2021 - 32
Efficient Plant March 2021 - Cover3
Efficient Plant March 2021 - Cover4
https://www.nxtbook.com/atp/MaintenanceTechnology/efficient-plant-june-2021
https://www.nxtbook.com/atp/MaintenanceTechnology/epapril2021
https://www.nxtbook.com/atp/MaintenanceTechnology/epmarch2021
https://www.nxtbook.com/atp/MaintenanceTechnology/epjanfeb2021
https://www.nxtbook.com/atp/MaintenanceTechnology/epjulyaug2020
https://www.nxtbook.com/atp/MaintenanceTechnology/epjune2020
https://www.nxtbook.com/atp/MaintenanceTechnology/epmay2020
https://www.nxtbook.com/atp/MaintenanceTechnology/epapril2020
https://www.nxtbook.com/atp/MaintenanceTechnology/epmarch2020
https://www.nxtbook.com/atp/MaintenanceTechnology/epfeb2020
https://www.nxtbook.com/atp/MaintenanceTechnology/epjan2019
https://www.nxtbook.com/atp/MaintenanceTechnology/epnovdec2019
https://www.nxtbook.com/atp/MaintenanceTechnology/epseptoct2019
https://www.nxtbook.com/atp/MaintenanceTechnology/epmay2019
https://www.nxtbook.com/atp/MaintenanceTechnology/epapril2019
https://www.nxtbook.com/atp/MaintenanceTechnology/epmarch2019
https://www.nxtbook.com/atp/MaintenanceTechnology/epfebruary2019
https://www.nxtbook.com/atp/MaintenanceTechnology/epjanuary2019
https://www.nxtbook.com/atp/MaintenanceTechnology/epdecember2018
https://www.nxtbook.com/atp/MaintenanceTechnology/epnovember2018
https://www.nxtbook.com/atp/MaintenanceTechnology/epoctober2018
https://www.nxtbook.com/atp/MaintenanceTechnology/epseptember2019
https://www.nxtbook.com/atp/MaintenanceTechnology/epaugust2018
https://www.nxtbook.com/atp/MaintenanceTechnology/0818schneider
https://www.nxtbook.com/atp/MaintenanceTechnology/epjuly2018
https://www.nxtbook.com/atp/MaintenanceTechnology/epjune2018
https://www.nxtbook.com/atp/MaintenanceTechnology/epmay2018
https://www.nxtbook.com/atp/MaintenanceTechnology/epapril2018
https://www.nxtbook.com/atp/MaintenanceTechnology/epmarch2018
https://www.nxtbook.com/atp/MaintenanceTechnology/epfebruary2018
https://www.nxtbook.com/atp/MaintenanceTechnology/epjanuary2018
https://www.nxtbook.com/atp/MaintenanceTechnology/epdecember2017
https://www.nxtbook.com/atp/MaintenanceTechnology/epnovember2017
https://www.nxtbook.com/atp/MaintenanceTechnology/epoctober2017
https://www.nxtbook.com/atp/MaintenanceTechnology/mtsept2017
https://www.nxtbook.com/atp/MaintenanceTechnology/mtaugust2017
https://www.nxtbook.com/atp/MaintenanceTechnology/mtjuly2017
https://www.nxtbook.com/atp/MaintenanceTechnology/mtjune2017
https://www.nxtbook.com/atp/MaintenanceTechnology/mtmay2017
https://www.nxtbook.com/atp/MaintenanceTechnology/mtapril2017
https://www.nxtbook.com/atp/MaintenanceTechnology/mtmarch2017
https://www.nxtbook.com/atp/MaintenanceTechnology/mtfebruary2017
https://www.nxtbook.com/atp/MaintenanceTechnology/mtjanuary2017
https://www.nxtbook.com/atp/MaintenanceTechnology/mtdecember2016
https://www.nxtbook.com/atp/MaintenanceTechnology/mtnovember2016
https://www.nxtbook.com/atp/MaintenanceTechnology/mtoctober2016
https://www.nxtbook.com/atp/MaintenanceTechnology/mtseptember2016
https://www.nxtbook.com/atp/MaintenanceTechnology/mtaugust2016
https://www.nxtbook.com/atp/MaintenanceTechnology/mtjuly2016
https://www.nxtbook.com/atp/MaintenanceTechnology/mtjune2016
https://www.nxtbook.com/atp/MaintenanceTechnology/mtmay2016
https://www.nxtbook.com/atp/MaintenanceTechnology/mtapril2016
https://www.nxtbook.com/atp/MaintenanceTechnology/mtmarch2016
https://www.nxtbook.com/atp/MaintenanceTechnology/mtfebruary2016
https://www.nxtbook.com/atp/MaintenanceTechnology/mtjanuary2016
https://www.nxtbook.com/atp/MaintenanceTechnology/mtdecember2015
https://www.nxtbook.com/atp/MaintenanceTechnology/mtnovember2015
https://www.nxtbook.com/atp/MaintenanceTechnology/mtoctober2015
https://www.nxtbook.com/atp/MaintenanceTechnology/mtseptember2015
https://www.nxtbook.com/atp/MaintenanceTechnology/MTAugust2015
https://www.nxtbook.com/atp/MaintenanceTechnology/MTJuly2015
https://www.nxtbook.com/atp/MaintenanceTechnology/MTJune2015
https://www.nxtbook.com/atp/MaintenanceTechnology/M
https://www.nxtbook.com/atp/MaintenanceTechnology/0415endress
https://www.nxtbook.com/atp/MaintenanceTechnology/MTApril2015
https://www.nxtbook.com/atp/MaintenanceTechnology/MTMarch2015
https://www.nxtbook.com/atp/MaintenanceTechnology/MTFebruary2015
https://www.nxtbook.com/atp/MaintenanceTechnology/MTJanuary2015
https://www.nxtbook.com/atp/MaintenanceTechnology/MTDecember2014
https://www.nxtbook.com/atp/MaintenanceTechnology/MTNovember2014
https://www.nxtbook.com/atp/MaintenanceTechnology/MTOctober2014
https://www.nxtbook.com/atp/MaintenanceTechnology/MTSeptember2014
https://www.nxtbook.com/atp/MaintenanceTechnology/MTAugust2014
https://www.nxtbook.com/atp/MaintenanceTechnology/MTJuly2014
https://www.nxtbookmedia.com