One reason many cybersecurity projects never get off the ground is the difficulty in placing a dollar figure on the benefits. An extensive security effort may stop one or more attacks – or you may spend time and money and still suffer an attack. Putting a dollar amount on security isn’t just difficult – it might as well be impossible.
Despite this difficulty, there are a few ways to improve security that have real benefits, regardless of whether your system is attacked or not. They don’t take much time, and often reap benefits that far exceed costs. You may be doing these things already and only need to add a few cybersecurity activities. If you aren’t doing them now, you may just need a little more justification to get the necessary time and support.
1. Open your eyes. The first person I called to learn about industrial cybersecurity is a maven in the field: Jeff Shearer, principal security architect for Rockwell Automation. “Go in with your eyes open,” Shearer said. “Be thorough and document what your system consists of today.” An accurate system diagram by itself may expose fundamental security vulnerabilities, such as unintentional connections from business networks directly to critical process networks that should pass through security devices. It will also help you identify potential system problems that have nothing to do with cybersecurity. “Security is also about availability,” he explained. “It doesn’t exist in a vacuum. And the work you do to implement and maintain system security will also help maintain availability.”
Problems discovered during an audit may be the least expensive ones to fix. Modifying devices connected to the process is not an easy task, but you can protect those devices with better system design beyond the process layer. Simply having the right devices in the right places can create a false sense of security. “Firewalls, for example, are absolutely critical,” Shearer said, “but they won’t do the job unless they are configured correctly.”
A comprehensive system audit will help you find these issues and improve your system in other ways. For example:
- Are controllers and networks approaching capacity limits that could bring down the system?
- Is your system licensed for useful features that you aren’t using today?
- Do you have adequate spares, and are they up to date and compatible with the devices in the field?
Once you know what you have, tune your system to protect your data and to increase performance. If you already have current, accurate system information, congratulations – you are doing a good job. Take the next step.
2. Opt in. “Many companies overlook security features that are built into process control systems and devices. Educating yourself on the capabilities of these product features and deploying them is a great first step to a more secure system,” Shearer explained. This is true for systems, and for formerly stand-alone devices that are later brought into the system. Spend a little time learning about intrinsic security features in the systems you already own. This will help you identify gaps between system components from different vendors – a huge source of potential risk.
If you have already scoped out the security settings on your devices and can expand your system without wasting hours during a shutdown frantically paging through manuals, I’m impressed. Come to my town, and I’ll buy you a cup of coffee. But there’s another thing to think about, which is a blind spot for many people.
3. Know your system integrators. The real measure of system integrators’ respect for cybersecurity is how they treat their own systems and devices. Do your integrators have written security policies? Do they have rules about how they protect, use and dispose of the information you give them? Do their policies extend to mobile devices like cell phones, as well as laptops and servers? Will your integrators treat your system with appropriate care, or unintentionally open doors for the bad guys?
Ultimately, defining security policies and procedures and communicating them to integrators is your job. Integrators are responsible for upholding your standards and leaving your system at least as secure as they found it. But integrators who have already thought through their own security posture will take less time getting up to speed. They are also more likely to follow both the spirit and the letter of your policy. They can even help you improve your policies for integrators, or help you create one if needed.
If you’re doing all these things, congratulations. Your salary, whatever it is, is not enough; tell your boss I said that you deserve a raise. But if you still need support from your organization to improve security, remember to take into account the non-security benefits.
James Cage is an automation solution integrator at Avid Solutions Inc., a Certified member of the Control System Integrators Association (CSIA). He is a member of Avid’s cybersecurity committee. Contact James at [email protected] or follow him on twitter at @JamesDCage. For more information about Avid Solutions, visit Avid’s profile on the Industrial Automation Exchange.