3 pillars of industrial cyber security

Engineering and IT Insight: A stable physical structure requires at least three main supports. Three “pillars” form the basis for an effective industrial cyber security system: technology, policy and procedures, and people.

07/16/2012


Engineering and IT Insight: A stable physical structure requires at least three main supports. Three “pillars” form the basis for an effective industrial cyber security system: technology, policy and procedures, and people. Courtesy: Dennis BrandlA stable physical structure requires at least three main supports. Industrial cyber-security is no different; it requires supporting structures for a stable system. Three “pillars” form the basis for an effective cyber security system: technology, policy and procedures, and people.

Technology: knock, knock

The first pillar of security is technology. Security technology is the easiest to identify and quantify so it is often the focus of most of an organization’s cyber-security efforts. However, while technology is important, it is no more important than the other two pillars. Security technology deals with the identification of users, authentication of users and systems, and access control for users and systems. It also includes firewalls, virus protection software, data encryption, time-controlled resource availability, gateways, intrusion detection systems, network access control systems, and wireless network security.

Technology based cyber-security systems are like locks on doors and windows and motion detectors inside buildings. They provide a measure of protection against nonprofessional attacks, but any technology can be overcome when attacked by professionals. Professional locksmiths can open almost any lock and disable most internal security systems, and well-trained security professionals can bypass almost any technology-only security system.

Demonstrations at recent conferences by experts from the U.S. Department of Homeland Security’s National Cyber Security Division have shown how easy it is to break into control systems. Break-ins were accomplished even though the systems were behind correctly configured firewalls, with multiple levels of password protection, and running under an intrusion detection system with network access control. These simulated attacks demonstrate that it takes more than just technology to implement an effective cyber-secure industrial system.

Policies, procedures

Engineering and IT Insight: A stable physical structure requires at least three main supports. Three “pillars” form the basis for an effective industrial cyber security system: technology, policy and procedures, and people. Courtesy: Dennis BrandlThe second pillar of a cyber-security system is a set of well-defined and readily available policies and procedures. Policies and procedures define how to apply technology security solutions in an effective manner. They encapsulate the knowledge required to configure, operate, and evaluate your cyber-security systems. Policies and procedures should start with a security policy. A security policy defines the overall rational for the policy, identifying the risk-versus-cost rules that can be applied to other policies and procedures. A security policy should not define the technologies to be used. Technology solutions will change over time, but the policy should define specific requirements that must be met by any technology implementation. Don’t be afraid to have multiple security policies, one for each part of your facility with different fundamental requirements. Policies and procedures should specify the security organization, defining the specific roles and reporting structure that should be in place to effectively use the security technology. Other policies and procedures should cover areas such as asset management, access control, incident management, business continuity plans, compliance management, vendor selection, security system maintenance, and communication management.

It is important to remember to make the procedures available in an attack. If the procedures are just stored on-line, they may not be available if the on-line system is the one that was compromised. Therefore, multiple independent copies of the procedures and paper copies should be maintained to ensure their availability even if the networks and servers are unavailable.

Trained workforce

The third pillar of cyber-security is a trained and motivated workforce. The best technology, policies, and procedures still do not provide an effective security system if you don’t have the right people support. The weakest links in most security systems are people. “Social engineering” is the term that security professionals use to describe simple methods used to trick people to reveal passwords, open Microsoft Word or PowerPoint files, download files, and insert USB drives. Any of these actions can be, and have been, used to attack a system.

Your workforce must be educated in security technologies and security procedures. Education in security procedures can usually be done at a low cost and can be integrated into other corporate training on safety and regulatory compliance. Education in security technology usually requires outside training and can be expensive, but it is vital if the technology is to be effectively installed and used. Without a trained workforce installing and maintaining the technology solutions, it is easy to have a false sense of security.

Additionally, even the best trained workforce must be motivated to correctly follow policies and procedures. Motivation comes from understanding the consequences of a compromised system and the reasons for the policies and procedures. It is important for employees to understand that inattentiveness or sloppy execution of security procedures can seriously impact their company, jobs, and community. Motivation also comes from buy-in of the policies and procedures, usually accomplished by encouraging users to suggest improvements to security policies and procedures. Many times IT departments will develop security policies without consideration of the impact on production, while the people who have to implement the policies may have simple suggestions that would significantly increase compliance without reducing security. Effective training and motivation provide the third pillar for an effective security system.

For example, all three security pillars could be used to protect a simple control system. The technology pillar includes the firewall protecting the system and the login accounts to the control system. In a secure environment the login accounts for the control system would be separate from the general corporate accounts. Policies and procedures provide a second pillar by specifying who can be granted login accounts and what training is required before access is granted. The third pillar is the actual training required by employees before they are granted system access. The training would include the reasons for the secure environment, any known risks, and the consequences for failing to protect that environment.

Industrial cyber security systems must be built on a stable platform of technology, policy and procedures, and people. If any element is missing, then the system may appear secure but will be vulnerable to attack and compromise with serious consequences to safety, company, jobs, and communities.

- Dennis Brandl is president of BR&L Consulting in Cary, N.C., www.brlconsulting.com. His firm focuses on manufacturing IT. Contact him at dbrandl(at)brlconsulting.com; Edited by Mark T. Hoske, content manager CFE Media, Control Engineering.

- Read more Engineering and IT Insight columns: atop www.controleng.com search:

“Brandl”

- See link to July cover story, Dark Side of Mobility, below.



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Learn how to create value with re-use; gain productivity with lean automation and connectivity, and optimize panel design and construction.
Go deep: Automation tackles offshore oil challenges; Ethernet advice; Wireless robotics; Product exclusives; Digital edition exclusives
Lost in the gray scale? How to get effective HMIs; Best practices: Integrate old and new wireless systems; Smart software, networks; Service provider certifications
Fixing PID: Part 2: Tweaking controller strategy; Machine safety networks; Salary survey and career advice; Smart I/O architecture; Product exclusives
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Look at the basics of industrial wireless technologies, wireless concepts, wireless standards, and wireless best practices with Daniel E. Capano of Diversified Technical Services Inc.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.