3 pillars of industrial cyber security
A stable physical structure requires at least three main supports. Industrial cyber-security is no different; it requires supporting structures for a stable system. Three “pillars” form the basis for an effective cyber security system: technology, policy and procedures, and people.
Technology: knock, knock
The first pillar of security is technology. Security technology is the easiest to identify and quantify so it is often the focus of most of an organization’s cyber-security efforts. However, while technology is important, it is no more important than the other two pillars. Security technology deals with the identification of users, authentication of users and systems, and access control for users and systems. It also includes firewalls, virus protection software, data encryption, time-controlled resource availability, gateways, intrusion detection systems, network access control systems, and wireless network security.
Technology based cyber-security systems are like locks on doors and windows and motion detectors inside buildings. They provide a measure of protection against nonprofessional attacks, but any technology can be overcome when attacked by professionals. Professional locksmiths can open almost any lock and disable most internal security systems, and well-trained security professionals can bypass almost any technology-only security system.
Demonstrations at recent conferences by experts from the U.S. Department of Homeland Security’s National Cyber Security Division have shown how easy it is to break into control systems. Break-ins were accomplished even though the systems were behind correctly configured firewalls, with multiple levels of password protection, and running under an intrusion detection system with network access control. These simulated attacks demonstrate that it takes more than just technology to implement an effective cyber-secure industrial system.
The second pillar of a cyber-security system is a set of well-defined and readily available policies and procedures. Policies and procedures define how to apply technology security solutions in an effective manner. They encapsulate the knowledge required to configure, operate, and evaluate your cyber-security systems. Policies and procedures should start with a security policy. A security policy defines the overall rational for the policy, identifying the risk-versus-cost rules that can be applied to other policies and procedures. A security policy should not define the technologies to be used. Technology solutions will change over time, but the policy should define specific requirements that must be met by any technology implementation. Don’t be afraid to have multiple security policies, one for each part of your facility with different fundamental requirements. Policies and procedures should specify the security organization, defining the specific roles and reporting structure that should be in place to effectively use the security technology. Other policies and procedures should cover areas such as asset management, access control, incident management, business continuity plans, compliance management, vendor selection, security system maintenance, and communication management.
It is important to remember to make the procedures available in an attack. If the procedures are just stored on-line, they may not be available if the on-line system is the one that was compromised. Therefore, multiple independent copies of the procedures and paper copies should be maintained to ensure their availability even if the networks and servers are unavailable.
The third pillar of cyber-security is a trained and motivated workforce. The best technology, policies, and procedures still do not provide an effective security system if you don’t have the right people support. The weakest links in most security systems are people. “Social engineering” is the term that security professionals use to describe simple methods used to trick people to reveal passwords, open Microsoft Word or PowerPoint files, download files, and insert USB drives. Any of these actions can be, and have been, used to attack a system.
Your workforce must be educated in security technologies and security procedures. Education in security procedures can usually be done at a low cost and can be integrated into other corporate training on safety and regulatory compliance. Education in security technology usually requires outside training and can be expensive, but it is vital if the technology is to be effectively installed and used. Without a trained workforce installing and maintaining the technology solutions, it is easy to have a false sense of security.
Additionally, even the best trained workforce must be motivated to correctly follow policies and procedures. Motivation comes from understanding the consequences of a compromised system and the reasons for the policies and procedures. It is important for employees to understand that inattentiveness or sloppy execution of security procedures can seriously impact their company, jobs, and community. Motivation also comes from buy-in of the policies and procedures, usually accomplished by encouraging users to suggest improvements to security policies and procedures. Many times IT departments will develop security policies without consideration of the impact on production, while the people who have to implement the policies may have simple suggestions that would significantly increase compliance without reducing security. Effective training and motivation provide the third pillar for an effective security system.
For example, all three security pillars could be used to protect a simple control system. The technology pillar includes the firewall protecting the system and the login accounts to the control system. In a secure environment the login accounts for the control system would be separate from the general corporate accounts. Policies and procedures provide a second pillar by specifying who can be granted login accounts and what training is required before access is granted. The third pillar is the actual training required by employees before they are granted system access. The training would include the reasons for the secure environment, any known risks, and the consequences for failing to protect that environment.
Industrial cyber security systems must be built on a stable platform of technology, policy and procedures, and people. If any element is missing, then the system may appear secure but will be vulnerable to attack and compromise with serious consequences to safety, company, jobs, and communities.
– Dennis Brandl is president of BR&L Consulting in Cary, N.C., www.brlconsulting.com. His firm focuses on manufacturing IT. Contact him at firstname.lastname@example.org; Edited by Mark T. Hoske, content manager CFE Media, Control Engineering.
– Read more Engineering and IT Insight columns: atop www.controleng.com search:
– See link to July cover story, Dark Side of Mobility, below.