These nefarious activities require that security architectures and defenses be continually enhanced and fortified. While this has spawned an industry to itself, it is amazing how many security fortresses are penetrated with simple social engineering.
As consumers and general Internet users, we all try to take care that we do not become unwitting accomplices or fall victim to these attacks. We update our virus software, we don't click on links in emails without authenticating them, we discard emails from unknown senders, and we don't respond to any general inquiries that request passwords or account information. We are keenly aware that our reputations, our creditworthiness, our finances, and our relationships can all be put at risk regardless of the scope or scale of the attack. Yet how often do we learn about the hacking of an Internet service that stored confidential credentials and other information "in the clear" or with flawed cryptographic techniques? Users can be victimized by inept business practices.
It’s equally important to think about cyber security in the context of automation systems. While a cyber-encroachment in our personal life may wreak havoc that takes months or even years to unravel, a hack of a control system can result in lost production time, stolen intellectual property, injuries, or worse. Standard IT security practices provide some level of protection but it is probably better to be more paranoid when it comes to control system cyber security.
Are you continuously enhancing and fortifying your security architecture and defenses? Do you regularly examine log files from servers, firewalls, routers, and other network infrastructure elements? Do you have a firewall and router policy implemented that allows only pre-authorized traffic between specified clients and hosts and denies all other communications? Do you have an enforced policy regarding USB and other itinerant devices? Do you seek the guidance of security experts to develop your security architecture, your security policies, your security breach response plan, and to audit your security practices and infrastructure? Are your physical plant security protocols aligned with your control system cyber security protocols?
Our FDT Group Executive Committee has recently taken steps to initiate an independent security audit of the FDT standard and our FDT Common Components to determine ways to enhance our security profile to deflect the latest threat vectors. We have also added a "Security" section to our Website’s technical documents page to house any security notices or advisories relevant to the FDT standard. Whether you are an FDT vendor or user, I encourage you to visit this section regularly.
Effective cyber security requires awareness, adaptability and continual fortification. A collaborative control system community raises our collective awareness to help keep us all ahead of the black hats. If you have any cyber security concerns or suggestions related to FDT, please send an email to security (at) fdtgroup (dot) org or contact our Managing Director, Mr. Glenn Schulz.
- Hartmut Wallraf