Though there are continuing advances in technology and standards for security, experts agree that the more mundane aspects of operator training play a critical role in protection. “Security is mostly a human program,” says Bryan Singer, co-chairman of the ISA99 committee of the International Society of Automation (ISA), which created some of the most widely used industrial security standards. “A lot of software vendors who have technical solutions disagree, but if you don’t have people who know how to read a report, tools are of no benefit.”
Stuxnet is perhaps the perfect case study for the importance of employee training. Most experts agree that it was written by professionals who knew a lot about control systems, in contrast to other viruses and trojans that are often written by those with less obvious skills.
Though they had good technical skills, the professionals who wrote Stuxnet didn’t worry about intricate ways to exploit openings on control networks. They relied on the curiosity of workers who picked up the memory devices and plugged them into personal computers or terminals.
That’s something that security specialists say should be one of the first things discussed in training programs. It should also be mentioned in reminders so employees don’t forget that they need to remain vigilant over the long haul. “People need to be cognizant about what can happen if they plug in an unidentified USB stick,” Hegrat says.
Many managers still ignore this aspect of security, which wasn’t needed before Ethernet opened up industrial networks to the hacker community. Many employees don’t understand that PCs can also bring in viruses, even if users don’t know those PCs have been infected. A laptop taken from the plant and connected to a home network can easily become infected with viruses that may cause serious problems in factories.
“After companies went from field buses to Ethernet, they found employees have a tendency to plug in laptops and start messing around,” says Raj Rajani, Ethernet infrastructure marketing manager for Siemens’ Norcross, Ga. facility. “When that happens, you want to do things like giving only certain people read/write access and others read-only access.”
These safeguards are usually handled with log-ons and passwords, but passwords bring their own security issues. Employees who have to learn too many passwords for different tasks will end up writing them down, making it easy for a disgruntled employee to use another person’s password to create havoc.
While it may seem obvious that leaving sticky notes on a terminal or storing passwords in a document called “passwords” is dangerous, it’s important to spend some time ensuring that employees are aware of the potential for mischief.
At a higher level, employees must be trained to spot potential problems. Though software may monitor network activity and highlight potential issues, some employees have to be trained so they know how to spot potential intrusions. Viruses can sometimes cause problems that might be attributed to other causes.
Those entrusted with network security must consider the possibility that a virus or other malady may be the root cause of these unexplained problems. “Operators have to be aware when they see an unexpected shutdown or a delay that wasn’t there before, that’s a potential sign that a virus may have infected the system,” Singer says.
