Analysts and suppliers wholeheartedly agree that humans are the most important arsenal in the battle to protect corporate assets.

Employees need to understand not only the rules, but also why those rules are needed, before they will remember to implement them at all times. That goes from simple things such as not taping passwords onto monitors, to ensuring that computers used for remote log-ins don’t have viruses. Employees also have to be vigilant whenever they use the corporate network.

“The first line of defense is your people. Companies really have to look at social engineering, when people try to manipulate employees into doing things they’re not supposed to do,” says Doug Wylie, business development manager at automation supplier Rockwell Automation Inc., in Mayfield Heights, Ohio.

Social engineering attacks are focused on a company, in marked contrast to attacks that are thrown onto the Web in hopes of finding an unprotected system. This sort of assault is more common in the business world, where competitors, disgruntled employees and extortionists will often target a company.

Free memory sticks!

“At corporations, 70 percent of attacks involve social engineering,” says Adriel Desautels, chief technology officer at Netragard LLC, a Mendham, N.J., cyber security firm. These attacks can be as simple as dropping infected USB memory sticks near the front door, or building friendships with employees using Facebook or similar accounts. Once relationships are established, it’s fairly simple to trick employees into downloading viruses, he explains.

Home computers and laptops are often the source of viruses. The shift to Ethernet and transmission control protocol/Internet protocol (TCP/IP) has made it simpler for operators to log in remotely from home or even coffee shops. This provides major benefits when problems arise at 3 a.m., or when managers are away at a trade show.

But this benefit comes with a potential liability. A home computer that may be shared with many family members could be infected with a virus that could migrate to the industrial network. Some companies eliminate that threat by accepting only authorized computers and checking them before granting access.

“When you log in remotely, the system makes sure you have the latest antivirus system and the latest Microsoft patches. We also guarantee that only assets owned by the organization can come into the network,” says Ben Blakely, Information Security Officer for Independent Electricity System Operator (IESO), which monitors the electric power grid in Ontario, Canada.

At all levels, policies must account for human shortcomings. Unlike machines, people get frustrated when equipment designed to help them instead causes problems. Equipment suppliers tell their customers to implement policies that can be remembered easily throughout the entire facility. “If there are inconsistencies, it can be difficult to work with. If it takes a lot of training and customers are confused, operators will turn things off, completely thwarting all the best efforts,” says Rockwell’s Wylie.

Personnel must also understand when they need to step in, and what they need to do. Often, the role of software protection is simply to search for anomalies and alert operators. “If we see a lot of traffic source from an address, or we see a lot of forbidden messages, it’s probably somebody trying to find an area to exploit, so we step in,” Blakely says. He also notes that the alert logs will also warn operators when they detect repeated log-in attempts in a given area.

Technology and training are both necessary for security. Many analysts note that although the human side may be a bit tougher to understand and address, it may be a more important aspect than technology. “Good programs depend more on policies, and not as much on technical solutions,” says Nate Kube, chief technical officer at cyber security specialist Wurldtech Labs, of Vancouver, British Columbia, Canada.

Terry Costlow, tcostlow@comcast.net, is an Automation World Contributing Editor.