​BlueScope Steel: Even Colorbond needs cyber resilience

The biggest challenge Australia's BlueScope Steel has is shifting to an Internet of Things-ready world.
Written by Asha Barbaschow, Contributor

When BlueScope Steel demerged from mining giant BHP back in 2002, the term Internet of Things (IoT) hadn't yet crossed the board table. 15 years later, and Catherine Buhler, chief information security officer at BlueScope Steel, said the biggest challenge for her organisation is being part of the IoT.

"We've got systems that are designed to be air-gapped and removed from any connection to the outside world, because that's actually the safest option, so being brought in to the IoT, having systems in place and services in place so that our users can actually do their job remotely is a very big call for us because it brings into question all of the issues about safety and security," she explained.

Speaking at the SINET61 conference in Sydney on Tuesday, Buhler briefly revealed that BlueScope was "caught in the crossfire" of the recent WannaCry attack that caused chaos globally, but said it was "really different to a targeted attack".

"It would be interesting to see what a targeted attack would actually be looking for," she said.

Within BlueScope, Buhler said safety and cost drive the business.

"We've come from an environment where security was actually secondary, because the two main factors for us is safety and cost reduction, because if you're in manufacturing that's an absolute key driver," she said.

"Not only do you have to be secure, but you've got to do it very, very cheaply and very smartly."

BlueScope is now automating its slab yards, which requires the addition of hundreds of sensors. The problem that brings with it is the requirement to have a timely understanding of where things are.

"And we have to have all of these things protected so that no one can break in and disrupt," she added.

"That takes a lot of time, and it's built on a system where asset management has historically been poor ... because it's about pumping out your product and making money.

"That's a very difficult balancing act and it's a challenge."

She said, however, that it is a very different experience for an existing system, as there are often pre-determined constraints that need to be adhered to, as opposed to almost free-reign with a new system.

"As soon as we plug that into the internet, we spend a lot of time on segregation to keep the [operational technology] network safe," she added.

When it comes to cyber insurance, Buhler said BlueScope is currently reviewing the space.

"No decisions have been made, but it's very, very clear that the only cyber event that would significantly affect our organisation so that we would want to take cyber insurance would be if our blast furnace was blown up -- anything else internally, we can handle that," she concluded.

Editorial standards