Paul Rostick

 Connect

Paul Rostick is the Chief Information Security Officer (CISO) and an Industrial Cybersecurity Advisor for aeSolutions, an engineering & process safety services firm based in Greenville SC. He advises executives on establishing strategic Industrial Cybersecurity Programs. Prior to joining aeSolutions, Paul was the CISO and Director of Cybersecurity Programs for Sunoco Logistics Partners, where he developed their first integrated IT/OT Cybersecurity Program. He has over 25 years of IT/OT/EHS experience in the Oil & Gas industry.

Posts by Paul Rostick:

May 8, 2019

Leveraging Mature Process Safety Risk Management Techniques to Address Industrial Cybersecurity Risk

Leveraging Mature Process Safety Risk Management Techniques to Address Industrial Cybersecurity Risk Functional safety assessments have been a well‐established practice since the 1990’s to help organizations identify and manage industrial hazards. One of the most important is the Process Hazard Analysis (PHA) requirement and its associated Hazards and Operability Study (HAZOP) methodology, a technique used […]

Read More
April 25, 2019

Parallels between pipeline leak detection and cyber breach detection

Pipeline leaks can have catastrophic effects on the environment, on communities, and on a company’s bottom line. A company could lose their license to operate, lose a fortune in revenue, and employees could face jail time. Simply put, no one wants leaks. As a result, pipeline companies invest considerable effort preventing, detecting, and responding to […]

Read More
January 30, 2019

Operations is now an IT Shop. It needs to start acting like one.

Once, back in my consulting days, I did a quick IT inventory of a newly-installed industrial automation system I was working on: It was an EtherNet/IP-based network consisting of 65 multi-vendor switches, within which ran a Microsoft Domain containing 42 VM-hosted servers running 145 core pieces of multi-vendor software, arranged in two separately-located fully redundant ‘mini […]

Read More
November 28, 2018

You Do Leak Detection, but Do You have Breach Detection?

In this insightful article in October’s Pipeline & Gas Journal, aeSolutions CISO Paul Rostick explores the parallels between leak detection and breach detection, and why pipeline companies (and others) should be ready for both. You may also read the article below.  Controls to change the page are at the bottom.

Read More
April 5, 2018

InTech Magazine – So many security breaches! Are we focusing on the wrong things?

Published: March/April Issue, 2018 | InTech Magazine We obsess over tools and technologies when we should be focused on culture and commitment. In the recent Equifax breach, which affected more than 143 million people, a routine security patch was not applied to a critical server. In the Target breach, which cost that company over $200 million dollars, […]

Read More

White Papers by Paul Rostick:

You Do Leak Detection, but Do You have Breach Detection?

Pipeline leaks are bad for everyone.  They can have catastrophic effects on the environment, on communities, and a company’s bottom line. Given a bad enough leak, you could lose your license to operate, lose a fortune in revenue, even face jail time.  No one wants leaks.

Pipeline companies invest considerable effort preventing, detecting, and responding to leak incidents, but are the investing enough effort preventing, detecting, and responding to cybersecurity incidents. Since, in principle, a cyber-incident could lead to a leak incident, companies should consider breach detection as part of their overall leak prevention program.

Download the PDF to read the entire article…

 

Read More

If it isn’t secure, it isn’t safe™

The convergence of Information Technology (IT) and Operations Technology (OT) platforms has exposed modern industrial automation systems to increased risk. Cyber threats have the potential to affect multiple layers of protection, including basic process control, process alarms and safety instrumented systems. In certain circumstances it may be possible for a single cyber threat to simultaneously defeat all three layers of protection. Unfortunately, traditional process hazard evaluation and mitigation techniques such as HAZOP and LOPA do not include a requirement to evaluate or mitigate cyber threats. This paper examines two aspects of integrating cybersecurity and process safety risk management.

Read More