3M adjusts security attitudes

Dec. 26, 2017
"The problem in big companies is figuring out who's responsible for what, dealing with constant changes, and deciding who's going to do what. It can be a monster job to know all the details of what you have."

"To operate an effective, sustainable cybersecurity system, you first need to think about what your process requires," says Bill Cotter, senior engineering specialist at 3M, who spoke at ARC Industry Forum 2017 in Orlando. "Do you have intellectual property (IP)? Do you need security or operations security? You'll definitely require management support, and then focus on the connections needed to protect your particular business model. 3M has many different locations, and so it's not monolithic, but it's a collection of different facilities and applications.

"The problem in big companies is figuring out who's responsible for what, dealing with constant changes, and deciding who's going to do what. It can be a monster job to know all the details of what you have. Remember Y2K when we had to list everything? Now, we need to know more about status of devices and how they're protected. It can be overwhelming, but we do the research, and develop stretch goals."

Cotter adds that, "Cybersecurity also means doing a lot of reading about standards, bad incidents happening, and reevaluating and adapting to what's needed. Sometimes the most important security task isn't the newest, such as simply checking if you've backed up data and making sure it's recoverable. We're also not keeping what we learn about cybersecurity to ourselves. We talk and email a lot at 3M, and use Wikis and SharePoint tools to share best practices. It's also important to measure outcomes after setting goals. This can be hard, but just pick something you want to refine, and apply some metrics."

Cotter reports it's a good idea to use:

  • The National Institute of Standards and Technology's (NIST) framework for cybersecurity contained in its "Guide to Industrial Control Systems (ICS) Security"; and
  • The U.S. Dept. of Homeland Security's Industrial Control Systems Cyber Emergency Response Team's (ICS-CERT) Cyber Security Evaluation Tool (https://cset.inl.gov). 

However, Cotter explains it's equally important for information technology (IT) and operations technology (OT) to cooperate on cybersecurity issues. "I can't afford to have OT and IT split," says Cotter. "We have and we recommend having a partnership and working together. IT can give us tools like two-factor authentication that we can implement. Similar to everything else we do, cybersecurity is also about keeping our plants running and making money. It just has to be integrated with our operating systems and their particular issues. Security is all about the lifecycle, too."

Visit the full story here:

You can be a cybersecurity badass - part 1 and part 2

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...