Paul Rostick

 Connect

Paul Rostick is the Chief Information Security Officer (CISO) and an Industrial Cybersecurity Advisor for aeSolutions, an engineering & process safety services firm based in Greenville SC. He advises executives on establishing strategic Industrial Cybersecurity Programs. Prior to joining aeSolutions, Paul was the CISO and Director of Cybersecurity Programs for Sunoco Logistics Partners, where he developed their first integrated IT/OT Cybersecurity Program. He has over 25 years of IT/OT/EHS experience in the Oil & Gas industry.

Posts by Paul Rostick:

September 24, 2019

Building a cybersecurity program part 2 : Building a security culture & understanding the relationship between resiliency vs. security

There are three significant challenges when building a cybersecurity program. They are 1) getting executive commitment, 2) building a security culture, and 3) understanding the relationship between resiliency vs. security. Last week we looked at Getting executive commitment. Let’s look at the last two in more detail in this blog. Building a security culture Most […]

Read More
September 18, 2019

Building a cybersecurity program part 1 : Getting executive commitment

There are three significant challenges when building a cybersecurity program. They are 1) getting executive commitment, 2) building a security culture, and 3) understanding the relationship between resiliency vs. security. Let’s look at the first in more detail in this blog. Getting executive commitment From an executive perspective, there are two primary obstacles. The first […]

Read More
May 8, 2019

Leveraging Mature Process Safety Risk Management Techniques to Address Industrial Cybersecurity Risk

Leveraging Mature Process Safety Risk Management Techniques to Address Industrial Cybersecurity Risk Functional safety assessments have been a well‐established practice since the 1990’s to help organizations identify and manage industrial hazards. One of the most important is the Process Hazard Analysis (PHA) requirement and its associated Hazards and Operability Study (HAZOP) methodology, a technique used […]

Read More
April 25, 2019

Parallels between pipeline leak detection and cyber breach detection

Pipeline leaks can have catastrophic effects on the environment, on communities, and on a company’s bottom line. A company could lose their license to operate, lose a fortune in revenue, and employees could face jail time. Simply put, no one wants leaks. As a result, pipeline companies invest considerable effort preventing, detecting, and responding to […]

Read More
January 30, 2019

Operations is now an IT Shop. It needs to start acting like one.

Once, back in my consulting days, I did a quick IT inventory of a newly-installed industrial automation system I was working on: It was an EtherNet/IP-based network consisting of 65 multi-vendor switches, within which ran a Microsoft Domain containing 42 VM-hosted servers running 145 core pieces of multi-vendor software, arranged in two separately-located fully redundant ‘mini […]

Read More

White Papers by Paul Rostick:

You Do Leak Detection, but Do You have Breach Detection?

Pipeline leaks are bad for everyone.  They can have catastrophic effects on the environment, on communities, and a company’s bottom line. Given a bad enough leak, you could lose your license to operate, lose a fortune in revenue, even face jail time.  No one wants leaks.

Pipeline companies invest considerable effort preventing, detecting, and responding to leak incidents, but are the investing enough effort preventing, detecting, and responding to cybersecurity incidents. Since, in principle, a cyber-incident could lead to a leak incident, companies should consider breach detection as part of their overall leak prevention program.

Download the PDF to read the entire article…

 

Read More

If it isn’t secure, it isn’t safe™

The convergence of Information Technology (IT) and Operations Technology (OT) platforms has exposed modern industrial automation systems to increased risk. Cyber threats have the potential to affect multiple layers of protection, including basic process control, process alarms and safety instrumented systems. In certain circumstances it may be possible for a single cyber threat to simultaneously defeat all three layers of protection. Unfortunately, traditional process hazard evaluation and mitigation techniques such as HAZOP and LOPA do not include a requirement to evaluate or mitigate cyber threats. This paper examines two aspects of integrating cybersecurity and process safety risk management.

Read More