Paper maker documents key IT security issues

By Bob Brown, Network World
March 28, 2005 12:03 AM ET

. What's this?

James Cupps, a former network engineer and information security officer for the U.S. Navy, is now on his second tour of duty with Sappi Fine Paper North America, a division of a $4.7 billion South African manufacturing company. Cupps, the North American division's information security officer and Sappi's global security lead, recently shared his thoughts with Network World Executive News Editor Bob Brown.

Give us a feel for your job responsibilities and the company's network.

Overall, we have 20,000 employees but only about 10,000 systems that are spread over several hundred subnets. In North America, we have about 3,000 systems and about 4,000 employees. We have offices on six continents, with large-scale manufacturing presence on four. I am responsible for network and application security including segregation of duty in our ERP system, anti-virus, edge protection, disaster recovery, policy creation and enforcement, regulatory compliance/[Sarbanes-Oxley] and business continuity.

What's the most underappreciated aspect of your job?

Related Content

Building interregional and interdepartmental consensus.

How is overseeing IT security at a corporation different than in the military?

Believe it or not, you can make decisions more quickly and get them enacted faster in a company. There is more focus on disaster recovery/business continuity in a business and more focus on edge security and general data classification/protection in the military. Other than that, there are a lot of overlaps.

On one hand more threats, from viruses to phishing to spyware, are hitting networks. On the other hand, more money is being sunk into security companies and more tools are coming out. Is it getting any easier to sleep at night?

Actually, yes. The bad guys are definitely getting better, but so are the vendors. Some of the newer [intrusion- prevention system (IPS)] mechanisms are quite easy to deploy and manage and are remarkably resilient. If you implement them in a smart-layered architecture the cost isn't much higher than what we have seen over the last several years. Add to that the fact that executive management is giving the area substantially more attention, and it is finally possible to get real problems fixed. There are a lot of tools, strategies and mechanisms for dealing with rights issues such as [separation of duties] now that had to be performed manually - or more likely not at all - just a few years ago. There are still a few things that worry me. Process-control security is getting a lot more attention but still needs more work from manufacturing companies and the makers of the equipment. This is the infrastructure that allows actual physical control of machinery and plant equipment.

Network security consultants and vendors are fond of painting a frightening picture of network security threats - viruses that result in planes crashing or patients getting the wrong medicine. How real are such threats to you?

I don't know about planes or hospitals. In factory settings, there are fail-safe settings that help avoid safety issues. It is possible to interrupt manufacturing, though, and poor facility design might allow for worse events. People need to realize two things: First, it is always possible for good operators to manually step in and interrupt a problem, so the worst case scenarios are not as bad as what you see on prime time TV. Second, more equipment is being connected directly to IP networks so even if manual operations can stop problems, it is still getting much easier for hackers, viruses and worms to cause problems for modern facilities whether they are power companies, oil producers or paper manufacturers.