John Cusimano, CISSP, GICSP, CFSE, is the Director of Industrial Cybersecurity for aeSolutions. John is an industrial control systems cybersecurity and functional safety expert with more than twenty years of experience. He leads the cybersecurity group for aeSolutions, a process safety consulting, engineering and automation company that provides process safety lifecycle solutions and tools.
John has performed countless control system cybersecurity vulnerability and cyber risk assessments in the Oil & Gas, Chemical, Water/Wastewater, and Power industries per ISA/IEC 62443 and NERC CIP standards. He has also overseen and participated in the security testing and certification of several control and safety systems per the ISASecure™ and Achilles™ security certification programs. A leader in the development of ICS cybersecurity standards and best practices, John is Chairman of ISA 99 WG4 TG2 Zones & Conduits committee and co-chair of ISA 99 WG4 TG6 Product Development committee. He was instrumental in the development of the ISASecure certification scheme and was recently appointed as US Expert to the IEC TC65 WG10 committee. John is also the lead course developer and instructor for the ISA IC32 training course, “Using the ANSI / ISA 62443 Standards to Secure Your Industrial Control System.”
By Gregory Hale, Writer | John Cusimano, aeSolutions Contributor | Published: April 25, 2018 ISSSource.com Safety can learn from security and security can learn from safety, but now security can help protect safety by using a safety tool.Sound confusing? Just ask John Cusimano. “We are seeing more and more attacks on OT (operational technology),” said Cusimano, director of […]
By Gregory Hale, Writer | John Cusimano, aeSolutions Contributor | Published: April 4, 2018 ISSSource.com Gas is still flowing – and never stopped – but at least three of the four companies operating pipelines admitted they were hit by a cyberattack this week on their electronic systems for communicating with their customers. Oneok Inc., which operates natural gas […]
By Tracy Barbour, Writer | John Cusimano, aeSolutions Contributor | Published: February 1, 2018 Alaska Business Monthly Large or small and in every industry, cybersecurity is critical. Organizations of all types and sizes have been rocked by security breaches and other cyber attacks, including large corporations (Merck, Maersk, and FedEx), government agencies, and even a credit reporting bureau […]
Users, system integrators and suppliers are striking back on cybersecurity intrusions and attacks by sharing best practices, tools and services Traffic cops keep watch Of course, the ultimate aim of any cybersecurity effort is the same as any other plant-floor initiative from basic loop control to advanced process optimization and safety—keep the application running as […]
By Gregory Hale, Writer | John Cusimano, aeSolutions Contributor | Published: September 6, 2017 ISSSource.com In what should be a surprise to no one: A series of attacks compromised energy companies in the United States and Europe which led to bad guys gaining access to grid operations to the point where they could flip the switch on power. A […]
The 2016 edition of IEC 61511-1: 2016 added two new requirements regarding the security of safety instrumented systems (SIS). The first requirement states that “a security risk assessment shall be carried out to identify the security vulnerabilities of the SIS” and the second requirement states that “the design of the SIS shall be such that it provides the necessary resilience against the identified security risks”. The standard directs the reader to ISA TR84.00.09, ISO/IEC 27001:2013, and IEC 62443-2-1:2010 for further guidance on how to comply with these requirements. While these documents are informative, the 479 combined pages do not provide concise guidance on how to address the specific security requirements. The purpose of this paper is to offer step-by-step guidance on how to address the security requirements in 61511 and to identify specific clauses in the reference standards for further information.
The convergence of Information Technology (IT) and Operations Technology (OT) platforms has exposed modern industrial automation systems to increased risk. Cyber threats have the potential to affect multiple layers of protection, including basic process control, process alarms and safety instrumented systems. In certain circumstances it may be possible for a single cyber threat to simultaneously defeat all three layers of protection. Unfortunately, traditional process hazard evaluation and mitigation techniques such as HAZOP and LOPA do not include a requirement to evaluate or mitigate cyber threats. This paper examines two aspects of integrating cybersecurity and process safety risk management.
The majority of process plants today are controlled and operated by automation systems built on Ethernet TCP/IP networks and legacy Microsoft operating systems. These systems are vulnerable to cybersecurity breaches resulting in potentially significant risks. Standards have been developed on how to assess and mitigate cyber risks to these systems. This paper provides an introductory summary of these topics.