Security: Are you spending enough?

One problem with writing about network and computer security is the speed at which the threat changes. In the few weeks that separate my writing of this article and its appearance in print, there will probably be another large cyber attack and multiple stories about how companies are not doing enough to ensure computer security.

11/01/2004


One problem with writing about network and computer security is the speed at which the threat changes. In the few weeks that separate my writing of this article and its appearance in print, there will probably be another large cyber attack and multiple stories about how companies are not doing enough to ensure computer security.

To appreciate the increased emphasis now being placed on computer and network security by companies of all sizes, consider these attack facts from SecurityStats.com : an unprotected server placed on the Internet in mid-2003 was attacked 467 times in the first 24 hours; that same server detected 626 attacks in the three weeks following its first day on the Internet; the SQL Slammer worm required only 10 minutes to spread worldwide, doubling in size every 8.5 seconds; remediation costs of the MS Blaster worm were estimated at nearly $500,000 per company, with large companies reporting losses in the millions; at its peak, one in 12 e-mail messages on the Internet were sent by the MyDoom virus; PC viruses cost businesses an estimated $55 billion dollars in 2003.

Keep 'em separated

Usually a company's firewalls and security devices protect the corporate intranet and the operations and automation networks. However, it is still advisable to separate operations and automation networks from corporate intranet using firewalls, VLANs, or physical separation. Automation and operation systems are often mission-critical systems. This means they must remain operational for production to continue. Unfortunately, these systems often are not running current virus protection and current patches, but not due to a lack of effort on the part of manufacturers. In 2003, Microsoft released 51 security advisories across all products—about one patch per week—to help counter the new viruses and worms that are released daily by cyber-vandals.

All of this begs the question: What is the right amount to spend on security and related network infrastructure?

Hardware, software, personnel

According to several public surveys, security hardware, software, and personnel seem to comprise about 4% of IT budgets. Some industries, such as financial organizations and universities with mission-critical IT infrastructures, spend more—averaging about 7% of their IT budget (up to 20% in a few cases). An additional 7% is being spent on network infrastructure, with some of that money earmarked for security issues. META Group (an IT analyst organization) estimates the average security investment will peak at 8% to 12% of IT budgets in the United States by 2006. The security portion of IT budgets is split about one-third each on security hardware (firewalls, intrusion detection systems, e-mail scanners, etc.), security software, and security personnel.

Based on industry standards for mission critical applications, the average manufacturing IT organization should be spending about 5% to 10% of its manufacturing IT budget on security. This is a comparatively small percentage and easy to forget or ignore in capital projects and yearly budgets. However, security costs must now be figured into expenses, much as insurance is now, because these costs represent a pure cost with no tangible return until they are needed. Then it definitely becomes money well spent.

For further reading on this topic, see the NIST "Introduction to Computer Security" handbook at csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf .


Author Information

Dennis Brandl is the president of BR&L Consulting, a consulting firm focusing on manufacturing IT solutions, based in Cary, N.C. dbrandl@brlconsulting.com




No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Sensor-to-cloud interoperability; PID and digital control efficiency; Alarm management system design; Automotive industry advances
Make Big Data and Industrial Internet of Things work for you, 2017 Engineers' Choice Finalists, Avoid control design pitfalls, Managing IIoT processes
Engineering Leaders Under 40; System integration improving packaging operation; Process sensing; PID velocity; Cybersecurity and functional safety
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Flexible offshore fire protection; Big Data's impact on operations; Bridging the skills gap; Identifying security risks
The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
click me