Vice-Rector of the University of Petroşani
Vice-Rector of the University of Petroşani, Prof. Habil. Dr. Roland-Iosif Moraru is a graduate of the Mining Institute of Petroşani, in the field of “Mining Machines and Equipments” (1986), Expert Engineer in Mine Safety and Environment (E.N.S.T.I.M.A. France – 1995), Ph.D. in Engineering Sciences – Mines, Oil and Gasses (University of Petroşani – 1999). He published 42 scientific and technical papers indexed in Thomson ISI Web of Science journals and proceedings, 72 papers in proceedings of international congresses and conferences, 123 articles in national level proceedings and journals, 18 handbooks, most of them on topics related to „Occupational Health and Safety”, „Risk Analysis and Management” and “Mine Ventilation and Safety”. Fellow of the Romanian Tunnelling Association, Computer – Aided Engineering Society, Manager of the Research Centre „Industrial Risk Assessment” and the Romanian Electrical Safety Society. Postgraduate studies and specialisations: France: 1994 – 1995, 1999; Czech Republic – 2007, India – 2008, Spain-2012. Professor (Full) in Management and Industrial Engineering within the University of Petroşani. Ph. D. Supervisor in Industrial Engineering.
MANAGING SECURITY IN INDUSTRIAL CONTROL SYSTEMS
Industrial Control Systems (ICS) monitor and control physical processes. ICS control our critical infrastructures, safety-critical processes and most production processes. Cyber-attacks on crucial infrastructure has been rising since the beginning of 21th century. These attacks are becoming severe and harder to detect year after year, which often results in cyber security changing into a central concern amongst industry players and governments. The ICS cyber security challenges insidiously sneaked into organizations whilst not being recognized and understood. To become more flexible and efficient, ICS are increasingly connected to external public networks like the Internet. When the separation between different networks disappears, old and vulnerable systems are increasingly exposed to various threats that they have not been designed for. It is therefore important to raise awareness in the organization with regard to the growing need for information and IT security. To establish a unified cyber risk program incorporating the ICS environment, it is important to acknowledge and address the differences in the way security has typically been handled between the business side and the ICS operational side. The starting point for a risk-centric program is to understand the cyber threats to which the organization is exposed and to set realistic goals that can be achieved. Threats may come from different sources including cyber criminals, cyber terrorists, hostile governments, industry adversaries and more. Process safety & industrial cyber security are tightly coupled. If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organization can get moving on more robust cyber security practices. The four-phase approach described in the presentation, incorporating considerations of the secure, vigilant, and resilient areas, can be applied to drive ongoing improvements. Understanding vulnerability is only one part of the equation. Cyber risk is combination of threats, vulnerabilities, and consequences. Most organizations want to understand what the true cyber risks are. Instead of the traditional ‘causes’, what we are looking for here are ‘threats’. We also consider vulnerabilities and consequences. To develop and manage secure industrial information and control systems requires not only technical solutions but, to a similarly high degree, a systematic way to work with information security and a good security culture, where management and employees have a common view of the risks and are motivated to implement and adhere to the necessary security rules. An additional benefit of a management system is that it leads to continuous security efforts that also support the operation and management of industrial control systems. Cyber security should be perceived as a process rather than a project. Companies with an increasing dependence on integrated ICS systems should transform how they handle ICS cyber risk. A cyber security assessment of an ICS is viewed as a snapshot in time. An ICS needs to be iteratively tested, based on triggers such as changes to the system or an elapsed period of time. One reason for repeated testing is that most ICSs are built using commercial off-the-shelf hardware and software. New vulnerabilities often are discovered in the current operating systems and third-party software which make up today’s ICSs. The implications of these vulnerabilities to the ICS domain may not be obvious, but could be exposed by a cyber-security assessment.