Cyber security: Vendors fight back
New aspects of control system software are reducing the need for manufacturing IT personnel to be security experts.
There is increasing attention by control system vendors to enhance cyber security and operate better in corporate IT environments. This attention is good because cyber threats are not decreasing and, at the same time, corporate IT environments are becoming more protected. While governments have focused on cyber security for “critical infrastructure” industries, such as water, power, telecommunications, and transportation, cyber security also is important for all manufacturing industries.
Some control vendors are using an increasingly popular method of bundling anti-virus and spyware protection with their products. Vendors test the latest version of antivirus software and operating system patches against their software, reducing your need to test and validate security patches and updates. In most cases the operating system (OS) patches are the latest Microsoft patches released on “Patch Tuesday” and are available from the vendor within one or two weeks of the Microsoft release. This gives the vendor time to test all standard configurations. The vendors will then redistribute the patches, executables, and signature (.dat) files that have been successfully tested along with notices of patches or updates that should not be applied. Vendor redistributed patches may also include JAVA updates, browser updates, and Adobe updates if this software is used in their products.
Another cyber security feature that more vendors are offering is preconfigured OS configurations. These are configurations which have unneeded services removed, ports locked, hardware disabled (such as DVD drives and USB ports configured for thumb drives), unneeded applications removed, and security settings preconfigured. These systems reduce the errors associated with the installation of software and configuration of the hundreds of options and services installed with a default OS installation.
While this increased attention by control vendors is a good thing—because it reduces the need for manufacturing IT personnel to be security experts—it does present another set of interfaces for manufacturing IT and corporate IT.
The first issue that often has to be addressed is the antivirus software vendor. Control vendors will pick one antivirus vendor to test and ship with their systems. However, their selected antivirus vendor will probably not be the same as the corporate antivirus vendor. It is important to work with corporate IT to place all of your control vendor’s antivirus vendors on the approved use list. This may be easy in small companies but difficult in large companies because of the number of control vendors used.
Scheduling downloads and patches must also be coordinated with corporate IT. Many large companies will control downloads through a Microsoft Systems Management Server or equivalent. The control vendor patches and upgrades must be set up in a separate domain, subdomain, or OU (organizational unit) so that manufacturing IT can initiate downloads at times that will not impact operations, quality, and safety.
Another new aspect of control software is the increasing use of Microsoft Active Directory and Microsoft domains to control accounts, passwords, and privileges. Managing this information requires careful coordination with corporate IT.
There are multiple options for integrating control domains and corporate domains, but the situation will be complicated if you have multiple control vendors. Check with your control vendors to see if they require a separate domain, if they can operate as a subdomain, or if they can operate in an OU within the corporate domain. Each option provides a different level of local control and different level of corporate oversight.
Increased attention by control system vendors to cyber security and operation within corporate IT environments will help your company. Cyber threats continue to proliferate and operating within a protected corporate IT environment is critical to safe and secure manufacturing operations.