Sole Focus on Cyber Security Could be Fatal – Security Requires 360 Degree Effort | Automation.com

Sole Focus on Cyber Security Could be Fatal – Security Requires 360 Degree Effort

September 262016
Sole Focus on Cyber Security Could be Fatal – Security Requires 360 Degree Effort

By Bill Lydon, Editor, Automation.com

Cyber protection is certainly a major issue for industry, but a comprehensive security protection program needs to focus on the physical and personnel aspects of protection and detection as well.   There is a tendency to think about cyber security and physical security separately and this generally reflects the silos of responsibility in an organization.  Attackers who can gain physical access to a computer or network, have a much higher probability to infiltrate further within a facility, potentially to an automation system.  There is no single silver bullet.  Reliable security is a complete package requiring a thorough systematic approach. Strategic physical security contributes to stronger protection of personnel, hardware, programs, networks, and data to deter and prevent serious losses or damage including burglary, theft, vandalism, and terrorism protection.

More Physical Access Points

The surge of IP connected devices in the automation industry presents greater cyber security challenges.  The number of network connections in automation systems has increased dramatically with the use of Ethernet to interface sensors, controllers, HMI’s, historians and other devices.  This is compounded by the sharing of networks that include IT, voice, and video that multiplies the number of network access points.  Any device that is connected to the network must be adequately protected to ensure that it cannot be turned into a loophole to be used in an attack.  For example, how many control cabinets, containing industrial Ethernet connections, switches, and routers, do not have locks or are unlocked?  Having key locks on cabinets is not effective without tight control of the issuance and tracking of keys , especially if they can be copied or shared by many people.   Further, a great number of network connected devices are not locked in cabinets.  This is a major flaw in physical security that can lead to trouble for industrial facilities down the road.

Outside Contractors

Businesses see value in using temporary workers, contractors and subcontractors but they can be a source of high risk.   A high visibility example is the famous National Security Agency (NSA) incident. The NSA contracted with Dell Inc. and Booz Allen Hamilton. Both of these contractors hired an infrastructure analyst named Edward Joseph Snowden. In June 2013, Snowden disclosed thousands of classified documents that he acquired while working as an NSA contractor first for Dell and then for Booz Allen Hamilton.  The vetting of contractor personnel, and the personnel they subcontract, is an important dimension of security which needs to be considered.  The integration of OT and IT means that any contractor that touches the plant or business network can potentially be a threat.

Remote Access

Many vendors are pursuing the remote access of equipment to perform predictive analytics, monitor performance, and other functions. This may lead to greater uptime, but also has a potential as another access point for cyber security breaches. The well-publicized Target department store cyber breach was accomplished with attackers compromising a third-party vendor, a refrigeration contractor to access Target's corporate network.

BYOD

Smartphones and tablets are inherently the weakest link in security that requires a technical and operating policy solution.  A system may be secure, but when contractors walk through the front door with a BYOD device, you may have a “Trojan horse” in your facility.  Employees and contractors should be included in an overall Bring Your Own Device (BYOD) initiative.  This could include installing software on contractor devices that is used to secure protection.   Another approach is issuing employees and contractors phones, tablets or laptops for exclusive use on company projects which are configured specifically for use in your facility.

Cybersecurity is meaningless for your organization if your physical security is lax

Today, security can mean a range of things including physical security, cybersecurity, contactor and personnel management.  The departments that manage the technology for different aspects of security can include facilities, personnel, industrial automation, and IT are usually entirely separate groups that need to collaborate for a comprehensive security program.

Defense-in-Depth

Cyber experts promote the concept of defense-in-depth to protect a system against any particular attack using several independent methods and this should include physical security.  It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.   Physical security is an essential dimension of protection in order for any facility to ensure that they keep out the bad guys.

Related Articles

MORE ARTICLES

VIEW ALL

RELATED