Let’s begin with the core message: There is no single solution when it comes to industrial cyber security. Virtually everyone we talked to for this article echoed this sentiment.
“Security is not a project with a single budget and a quick plan. It will never be rounded out with a single bout of procurement, configuration, testing and commissioning,” says Walter Sikora, vice president of security solutions for Industrial Defender (www.industrialdefender.com). “Security is a program, and it’s never completed.”
Sikora went on to say that there are two root-level truths about a security program. First, it requires continuous and diligent monitoring of controls, protocols and networks. “You must always be looking for bad actors,” Sikora explains. Second, you have to begin by setting the right management expectations. “If you don’t have management buy-in, you’re going to fail.”
A Practical Approach
There is disagreement around the severity of exploits likely to be visited on any given producer. Stuxnet, for example, was extraordinarily complex. It was chock-full of zero-day exploits, as well as mechanisms to prevent detection. In its first iteration, Stuxnet included special commands for directing specific PLCs to destroy one type of centrifuge used in the Iranian nuclear program. (For a more complete overview, as well as many perspectives and sources on industrial cyber security, download Automation World’s e-book special report, “Stuxnet & Beyond”. You can access it directly via http://bit.ly/awsecurity.)
A cooperative cheese and yogurt maker in Vermont, however, is unlikely to be hit with anything so dramatic—meaning that a good, practical security program is all that is needed by most. One of the key points of such a program should focus on creating separate zones within your operations.
>> Key Security Resources: Click here for additional cyber security resources.
Eric Byres, chief technology office and vice president of engineering for Tofino Security (www.tofinosecurity.com), says that zoning is critical because it divides operations into controllable areas. “Zoning prevents problems from ripping through the plant,” he says. “It admits the fact that we are going to have attacks and infections, and so we must have containment methods.”
In the simplest terms, this approach turns areas of a facility into subnets (or zones), integrated only via secure connectivity and firewalls.
Along with concept of zones, risk assessment is another widely accepted and practical approach to cyber security.
“There are three sides to risk,” says Joel Langill of SCADAHacker.com, “threats, vulnerabilities and consequences. You can remove or reduce bad experiences through reduction in any of those three.”
Though opinions around zone creation and risk assessment may differ depending on the security expert you consult, there is one activity on which they all agree: Apply all patches and security updates as soon as possible after issuance and turn on all security programs associated with any deployed device.
The #1 Threat
If you thought the biggest security threat to your operations comes from the outside, think again. The biggest threat you or any business faces comes from its own people. And if it were simply a matter of identifying the potential bad apples, it would be easy. The problem is that most security issues are created due to a lack of awareness. This means that they do things like bring in thumb drives with work done on an infected home computer. And viola … your network now harbors the same virus.
Once you create the proper level of awareness and the policies to enforce it, be aware that people tend to chafe at policies and procedures unless they are told why the procedures exist. This means you should plan on having a backup to your policies and procedures.
For example, if your policy is to require that operators close and lock the control cabinet door, your backup might be spring-loaded hinges, says Brian Oulton, director of marketing for industrial global sales and marketing at Belden Americas Group (www.belden.com). “Then add a backup to the backup, because people will prop the door open. That might be a set of alarm contacts on the door, so if it stays open too long, somebody else in the place knows about it.”
“People are the weakest link,” agrees John Pescatore, director of emerging security trends at SANS Institute (www.sans.org), “and ubiquitous social sites can add to the problem. If you’re on Facebook, your activities and interests are available to the world. Someone targeting a specific company might go to LinkedIn, find that company’s email administrator, go to social sites and find he’s a runner and discover that he ran for charity in some recent event. All that’s left is an email that says, ‘Sorry I missed you at the race, here are some pictures’ with a link. Without awareness that his position dictates that he always be prudent, the guy is going to click on the link, which might contain a black hat payload."
>> What We Knew and How We Knew It: We reported on “The Stuxnet Effect on Cyber Security” in April 2012. See what you missed at http://bit.ly/XBxSjp