As sharing of information between supply chain partners increases and company systems continue to be connected via the Internet, the larger companies you supply—who will likely be very concerned about security—are not likely to share your lack of concern over your potential security issues. Bottom line: a lack of cyber security preparedness can be detrimental to your business beyond the practical reality of an incident ever occurring at your facility.
With that in mind, where should you start?
Joel Langill of SCADAHacker.com suggests starting at the Department of Homeland Security’s ICS-CERT Web site (www.ics-cert.org), and downloading their Cyber Security Evaluation Tool for control systems. “This free download helps you to conduct a non-invasive assessment of your current security posture, and offers some valuable insight into addressing some of the high risk areas,” he says.
Langill also encourages newcomers to spend some time getting to know other areas of the ICS-CERT site, including their section on Information Products. “This area provides valuable best practices for a wide range of security topics, including understanding common ICS vulnerabilities, and cyber security procurement language for ICS,” he says.Langill’s own site, SCADAhacker.com, also contains an extensive reference library of ICS-related security information.
Finally, Langill suggests initiating an awareness and training program within your organization. “The DHS offers some very good training programs for ICS cyber security. The first step to addressing cyber security issues is to become aware of just how serious this is and, from there, how to specifically secure the automation assets within a particular manufacturing facility.”
Ken Modeste, global principal engineer at Underwriters Laboratory (www.ul.com), concurs with Langill’s idea of awareness and training. “A review of the security policies in place today at your facility is a good starting point for investigating cyber security in control systems,” Modeste says. “A gap analysis examining your current security policy and actual implementation should also be performed. The first step in this process should always be to identify the current state of the system. If one doesn’t exist, then your first priority should be to create one for the current system.”