2023 ARC Industry Forum Monday Track 4 Cybersecurity Case Studies

Author photo: Eric Cosman
By Eric Cosman

Keywords: ARC Industry Forum, Cybersecurity, Case Studies, Workshop, OT, Partnership, Risk Assessment, Infrastructure Upgrades, ARC Advisory Group.


The first day of the 2023 ARC Industry Forum in Orlando, Florida included a variety of cybersecurity workshops. This report reviews the case studies presented in the workshop titled Cybersecurity Case Studies (T4). The intent of this workshop was to identify effective practices based on actual experiences. The session included presentations by Tammy Klotz of Covanta and Charles Blackburn of HF Sinclair. Each speaker provided their insights based on lessons learned in their company’s implementations. The session concluded with questions from attendees and ARC contributing consultant Eric Cosman, the session moderator.

Building an Effective Cybersecurity Organization at a Waste to Energy Company

Tammy Klotz is the Chief Information Security Officer at Covanta, a company that provides waste-to-energy and environmental services across several sectors, including chemicals, agriculture, energy, and pharmaceuticals. Covanta operates about 70 facilities in the U.S. and Canada. Tammy shared her experiences in building a cybersecurity program in her current role, as well as in her previous role at Versum Materials.

Tammy framed her remarks in terms of six keys to success that are essentially the same, regardless of the specific circumstances. Some of these were also addressed in other sessions during the Forum.

Cybersecurity Case Studies

Effective Partnerships

The first of these is the need to build strong partnerships between those responsible for IT and OT systems. For OT systems, this includes both operations and engineering. To be successful, such partnerships must be based on mutual trust. Such trust comes about over time as the partners come to know each other and understand that they have many objectives in common that represent the imperatives of the company. Accountability must also be shared, even though specific responsibilities may be assigned to one partner or the other. As with any other corporate initiative, it is critical that proposed measures are seen by company leadership as addressing well-defined risks.

Security and Safety

It is also important to stress the relationship between security and safety. The necessity of having safe operations and environments has long been well understood and accepted in most industries. Perhaps less accepted is the fact that inadequate security can adversely affect safe operations. There have been published reports of situations where a security incident led to a decrease in the ability to monitor and control the equipment under control. This is particularly concerning in cases where powerful equipment or hazardous materials are present.

What You Have and What You Want

The third key to success involves having a current and accurate inventory of equipment and a detailed understanding of the functionality of each device or subsystem. This need is well understood, with several companies that offer a variety of tools for assembling and maintaining a detailed inventory of equipment. Regardless of whether such records are assembled manually or through the use of such tools, this inventory establishes the scope of the cybersecurity program.

Risk Assessment

It is neither appropriate nor even possible to remove all potential risks faced by any complex system. This is why it is essential to conduct a thorough risk assessment, allowing informed decisions about relative priority and urgency. It may be possible to remove some risks, while others may be mitigated or simply accepted.


ARC Advisory Group clients can view the complete report at  ARC Client Portal

If you would like to buy this report or obtain information about how to become a client, please Contact Us

Learn more about ARC In-depth Research at Market Analysis

Learn more about ARC Strategic Services at Advisory Services for Industry Leaders 




Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients