here are some subjects that make you stop to think about which way is forward. The integration of control system networks with enterprise networks -- including the security issues that involves -- is one of those subjects.
One of the more telling remarks I’ve heard about it came out of a network security panel discussion at Automation Fair late last year. “As a controls systems engineer I spent 18 years trying to integrate networks,” said panelist Tom Good, project engineer in Dupont’s Engineering Department, Electrical Instruments and Control Systems. “I’ve spent the past few years putting up walls between those networks.”
That’s not the first time most of us have heard control network professionals wrestle with seemingly irreconcilable industrial needs.
The panel members traversed much of the landscape of how to secure fully integrated control networks, following well-worn paths about the need for companies to have common, well-accepted security policies that IT and control people alike can stand behind. They also acknowledged why it’s important to recognize that the traditional IT role is to protect intellectual property and data on servers, while factory floor networks have to ensure that they never lose control of the process, given the impact it can have on community, the environment, and personal safety.
Thanks for the advice, but that’s old news. Well, these panel members knew that’s old news, so they also offered some intel that can help you formulate actionable plans, even when you don’t have a completely baked set of policies.
Policies or no policies, much of this comes down to doing the right things the right way. “Remember, as security manager,” said panelist Bryan Singer, chairman of the ISA SP-99 standards body focusing on the security issues of the control systems environment; and business consultant control systems security for Rockwell Automation, “your job is to keep your company off the front page.”
A starting point, agreed the panelists, is to recognize that most of the network breach or failure problems come from the actions of well-intentioned factory personnel taking unauthorized actions. That’s a training issue that can be remedied. On top of that, have sensible system defaults. “Our firewalls go in with all the doors closed,” said Good. “Then we make exceptions, one-by-one, to let authorized personnel in. It’s always the bare minimum.” Singer agreed. “I’ve seen too many places where an operator can browse from his HMI.”
Whatever you do, don’t make network security another layer of confusing bureaucracy. “Cyberthreats shouldn’t be a seen as an additional point of failure for a system,” stressed Good.
The panel’s experiences argue that your company, like most, already has much of what it needs in place, it’s just not pulled together properly. Darrin Miller, security researcher for the critical infrastructure assurance group at Cisco Systems, reminded us that “there are a lot of simple, inexpensive things that reduce risk. Firewalls can be configured easily to get rid of a lot of potential damage from viruses, worms, and the like.”
Even if your company doesn’t have a real actionable battle plan at this point, there’s one thing you should be doing. The panel emphasized the importance of an eyes-wide-open risk analysis to review every network connection for vulnerabilities. “There are modems you don’t know you have,” said Singer, and there are open ports out there that people plug laptops into.” Panelists recommended both NIST and ISA has sources of help for this.
Once the vulnerabilities are smoked out, evaluate the risk likelihood and the magnitude of the risk’s impact. At the very least, you’ll have a foundation to make sound decisions about mitigating a risk or knowingly deciding to live with it.