Hackers Never Sleep
Jane Alexander | July 10, 2015
Like plant safety, cyber security is everybody’s business. And it’s urgent. Regardless of origin and/or underlying agenda, hackers are targeting all sectors of the global economy. No organization or operation is off limits—yours included. The industrial protocols and networks, process-automation systems, human-machine interfaces, field devices, and other technologies that keep your business up and running are locked in their cross-hairs. If hackers can breach your security and take your operation down, they will.
By now, all industrial facilities should have some form of information-security-management system (ISMS) in place. If your site doesn’t—or if the ISMS it does have could be better—act now to correct the situation.
Developed by Gary Williams, senior director of technology, Cyber Security & Communications for Schneider Electric, Dallas, this 10-step approach will help any company, regardless of where it is with its cyber security program.
—Jane Alexander, Managing Editor
Adopt a standard. Although Williams recommends IEC62443, any standard would be a good start. Standards provide a number of controls. Almost all of them call for senior-management buy in.
Gather pertinent controls. All standards have recommended controls, but not all controls apply to your operations. Gather those that do.
Perform a Gap analysis. With regard to your controls, what’s not compliant? Basically, compare your current state with your chosen controls.
Conduct a risk-and-threat assessment. Using your Gap-analysis results, prioritize risks and threats that are most critical to your business.
Mitigate threats. Mitigate threats on a prioritized basis. Deal with critical threats first, then work your way through secondary threats. Note that it’s important to regularly review your critical threats.
Survey your system and gather configuration files. Conduct post-mortems along the way and capture switch, firewall, and other configuration information. This information is required for any recovery.
Store configuration files on and offsite. Create a recovery plan that involves storing critical data locally and in an offsite facility that is unlikely to be affected by any local disaster.
Inform all stakeholders. Williams notes that management is often unaware of the complexity of secure systems. “The more you educate them, the easier it will be to obtain resources for future enhancements/maintenance.”
Verify regularly. Review your security system on a regular basis. The environment changes daily, as do your threats and vulnerabilities. According to Williams, it’s important to create a “cold-eyes review team.”
Educate at all levels. Cyber security is everyone’s responsibility, so keep everyone informed. Educating engineers in control rooms is crucial as they provide an early-warning system and first-line-of-defense against cyber attacks They should able to identify and isolate potential problems and call in experts to mitigate them. MT
To learn more about information security management, visit Schneider Electric’s Cyber Security Resource Center.