If there’s one thing we’ve all learned in the past few years, it’s that our plant floor systems are not as secure as we once thought them to be. The proliferation of thumb drives, CDs and laptops that shuttle between the plant floor and employees’ homes prove that the “air gap” separating plant floor systems from the enterprise simply does not exist.
The ultimate prescription for securing your systems varies widely, can cost a bundle, requires a great deal of attention and can be extremely complex. However, by following these 5 practical steps you’ll be well on way to providing a solid baseline level of security for your plant, regardless of its size.
As you read through these steps, you may find the advice to be incredibly simple and practical. While this is certainly true, it is nonetheless consistent with advice from U.S. government agencies including DHS, INL, US-CERT, ICS-CERT and NSA, as well as standards organizations such as ISA and IEC.
1. What’s Your Worry? The first thing to realize is that it is impossible to prevent all the possible security breaches from occurring. That’s why most experts recommend doing a risk assessment. Simply put, you’ll need to create a list of those real events that are most likely to happen and that are worth preventing in your line of business — with special attention paid to the things you value most. Invite co-workers and people from outside your company whom you trust to be objective to help in this process. It’s also important to avoid being swayed by sensationalism in this area. Take the necessary steps to protect your operations, but keep it in perspective. To ensure you do this, prioritize the list you create based on how easy or how likely it is that the problem will occur and how big the problem would be if it did occur. Consider intentional and unintentional actions by outsiders and employees alike. For each of the issues you list, create a remediation plan to reduce or eliminate the highest potential threats.
2. Think Broadly. Your security plan will be most effective if you draw from the broadest range of options available and prioritize your choices to address the highest-level risks on your list. Your range of choices should include:
- Company Policies and Procedures. While there are very practical limits to how you can expect your own employees to consistently behave, this is a great place to start and end your security plan. You should also update your policies and procedures to be ready to respond appropriately in case of a security breach.
- Physical Security. Where there used to be locks and keys that slowed worker movement, there are now cameras and sensors to provide authorized access unobtrusively. The same Ethernet network that runs throughout your facility for industrial networking can also provide power and signal for security cameras and devices.
- Network Security. To give the right people and right applications access while keeping others out, create an Ethernet network infrastructure that compartmentalizes (segments) various physical zones and logical functions. Good design and good industrial switches, wireless devices and routers provide this capability using VLANs (virtual local area networks), subnets, and layer 3 routing. If you are not familiar with these devices, turn to a solid industrial Ethernet designer for help. Be sure to add industrial security devices to your entire system design and not just to the edges of your network. This means including security layers between zones. The best security devices for these areas will offer a range of monitoring and protection, as well as features specific to industrial networks. Another desirable aspect of the best security devices is that they can be updated without disrupting your plant operations.
- Device Security. Many automation devices today include security features, but it’s important to realize that these features are often inconsistently available. While these features can help with your overall security strategy, you may find it more effective to keep these devices locked in a control cabinet or protected using network security rather than dealing with the inconsistencies among devices.
- Computer Security. This is one area in particular where your IT group can be a significant resource. A bottom line approach here includes: using great antivirus software from one of the well-known security companies; restricting applications to only those applications that are needed; and strictly enforcing company policies and procedures. And don’t forget to enable features that scan USB drives, DVDs and network traffic, as well as download new virus definitions automatically. Check your system regularly to ensure those features remain enabled.
3. Just Do It. Finalize and execute your plan. Turn the right features on. Don’t allow those features to be bypassed without you knowing about it.
4. Revisit. The best security includes elements that make your application a moving target. Don’t start with security unless your plan includes regular updates to your anti-virus software and firewall protection. It should also include periodic re-evaluation of threats and the overall effectiveness of your security implementation with room and budget to adjust as needed.
5. Consider a pro. Whether or not you feel comfortable handling the steps listed above, never dismiss the idea of bringing in someone with industrial network and security expertise to help with your plan and design. The cyber security game changes daily, sometimes hourly, and getting help from someone focused on industrial cyber security can have huge payoffs in terms of protection, risk mitigation and remediation. Be aware, though, that if the experts you bring in don’t take you through the steps listed above as a starting point, choose someone else.