Easing cyber security concerns
Users worried about cyber security think of the issue need to think beyond the technology issue and realize that people process, and technology all need to work together in harmony to achieve true security.
The fear of security can be a painful experience. Now it is time to finally ease that pain.
Last year clearly was the year of stronger awareness in terms of cyber security. While the security world became aware of the threat a long time ago, a general understanding of the potential for attack from the rank and file and from the executive suite became abundantly clear over the past 365 days.
Awareness, however, does not always mean action. This coming year has the potential to see more knee-jerk reactions to security incidents that battle-weary security veterans will continue to ward off. But it doesn't have to be that way. Industrial control system (ICS) security professionals will continue to stress the importance of building a solid security program.
Much to the chagrin of experts analyzing the industry, users think of security purely as a technology issue, and it is to a certain degree. But it is so much more. The idea of people, process, and technology truly comes into play.
People continue to be the weakest link in security, but they have the potential to be the strongest asset. For that to happen, manufacturers have to train and force workers to think of security much like safety.
That scenario leads to creating a security process that leans on the various security standards out in the industry such as IEC 62443. Manufacturers need to focus on making sure everyone remains vigilant and on top of their games at all times.
There is solid technology out there that can reduce any kind of attack, but providers need to understand what they need to protect and then apply the proper technology. Users cannot just throw technology at the problem and expect results. There needs to be a well thought out plan that can't take on the enormity of the issue all at once, but rather tackle the problem on a project-by-project basis that keeps growing.
Safety and security
During this past year more manufacturing automation professionals understood the idea that safety and security do play hand-in-hand. While some principals do differ, the idea of understanding risk and mitigating that risk are the same.
Differences come into play when you look at the constant change evolving in security where countermeasures need to change almost on a daily basis, which flies in the face of the set-and-forget mentality that prevails in the industry. Added on top of that, the maturity level on the security front is not as evident as it is for safety.
On the other hand, safety has well-defined standards and practices where safety professionals have a greater degree of confidence that the system as it stands should provide a degree of safety for the process and the facility. Safety and security need to provide a united front where one area can learn and share expertise from the other.
As mentioned, security does fly in the face of conventional thinking. That only makes sense. Bad guys don't live by the rules, whereas manufacturing automation professionals live by rules or standards. What worked yesterday will surely work today and tomorrow. That thinking has to change.
That all means understanding the system and knowing when things are out of whack or not looking right remains a key factor moving forward. With the potential for advanced persistent threats (APT) infiltrating systems and taking up residence for a period of time to learn the ins and outs of a system, knowing the system and understanding what should and should not be going on is vital. That is where one technology, application whitelisting, can really pay dividends. Application whitelisting permits the execution of explicitly allowed (or whitelisted) software and blocks execution of everything else. This eliminates the execution of unknown programs, including malware.
One challenge when using application whitelisting in business networks is managing the constantly changing list of allowed applications. That burden reduces in control systems environments, because the set of applications that run in those systems is essentially static.
Whitelisting is not the only answer, but it is one solution to add to the arsenal needed to boost protection.
Building security from within
In keeping with the changing mindset refrain, security needs to focus on protecting from within compared to ensuring a hardened perimeter. The concept of the hard exterior worked years ago, but as the industry learned from Stuxnet, if someone wants to get into a system, it doesn't matter if they have a hardened perimeter or an air gap, they will get in.
That means conducting a true system assessment becomes paramount to understanding what and where you have to protect. After all, you cannot design in security until you know what it is you are protecting. Documenting what users have installed is vital because they often don't even know what they have on their systems. That can lead to building in zones and conduits, which can break the system down and partition it. It is then possible to do a risk assessment on each individual zone.
Threats: Inside, outside
Using the zones and conduits model also shows it doesn't really matter if the attack is coming from the outside or the inside. The idea is locating the attack and mitigating it within the partitioned zone.
One misconception that ended up debunked over 2015 is more threats come from the outside. It became clear the inside threat was much more prevalent and caused much more discord for manufacturers.
The insider threat has become so much of a problem the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center created a guide to help organizations guard against malicious insider activity.
An insider threat is a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization's information or information systems.
Personnel signs to watch out for include: Introverts, greed, or financial need, compulsive behavior, reduced loyalty, a penchant for minimizing one's mistakes or faults, intolerance to criticism, moral flexibility, a lack of empathy, and a pattern of frustration or disappointment.