Data from the 226 respondents reveal—no surprise—a broad range of opinion.
An open-ended question (“Why or why are you not confident about security?”) offered respondents a way to explain their vote. Among those who are confident, a number cited cooperation between enterprise information technology (IT) departments and production: “The IT team seems to be on it.” “Our IT department takes care of any network security or malware issues.” “Our IT department does a good job with our firewall.”
Among those who indicated the need for more attention, the mood ranged from objective/realistic to pessimistic. “As connectivity between production networks and other networks is increasing, the risks are also increasing. Proper measures should be taken, but this is often forgotten!” “Threats are constantly changing.” “Network security is like a padlock. It keeps out only the good guys.”
Understandably, the world was on the dark side for those who felt no confidence. “[Security can] never [be a reality]. Too many ways for security to be breached—intentionally and unintentionally.” “Nothing has been done.” “Too many high-quality companies that invest millions in security are invaded—makes me feel we are all open to security problems.”
Many of those voting yes expressed an objective rationality. “The more secure, the better.” “Although there can be authentication issues with hardware and connected devices, having the choice to use or not use security-aware products is a benefit to end users.” “At least we will have a minimum security baseline.”
A couple people felt that third-party certification would provide expert levels of evaluation: “I am not an expert in [security technology] and would prefer to have a known standard… to meet when connecting systems to the network.” “We need someone much more informed and trained to tell us the way to become safe and secured.”
A number applied basic risk analysis: “Having the devices certified for cyber security reduces the risk of external viruses and the like, which would be less expensive in long run, [since system breaches] could stop the whole plant.”
The nay-sayers ranged from confident to cost-conscious. “I have enough security!” “Threats are constantly changing. Certified today could breed complacency, making the system more vulnerable tomorrow.” “I do not feel that the expense is justified in our case.” “Unnecessary added cost.” The most succinct answer: “$.”
As with many informal polls, our statistical sample is too low for grand generalizations. But what is clear from the answers, especially those to the open-ended questions, is that industrial networking must move, and move quickly, to increasingly stringent—and hopefully, increasingly effective—tactics designed to prevent the bad guys from disrupting production.
May 2011, Related Feature – Certified Security It’s Coming
To read the feature article, visit http://www.automationworld.com/feature-8769