Security requires taking a proactive stance to maintain health and prevent bad stuff from happening. In the industrial sector, a great place to start is with an assessment of your site security policies to uncover existing weaknesses, map out potential future risks, and recommend mitigation strategies.
In a study by ARC Advisory Group, it recommends organizations “focus on cures, not remedies.” As the study reveals, many existing control systems were developed prior to online security being as grave a concern as it is today. And while the need for compensatory controls and frequent patching (remedies) hasn’t gone by the wayside, ARC advises companies to invest more time and energy into developing new strategies that can cure (to the maximum extent possible) the underlying issues.
Keep it Clean: Industrial Strength Security Health
This is why security hygiene needs to be an organizational priority—and it requires the right game plan. First, emergencies need handling and weaknesses need uncovering. Second, you need a treatment plan for any issues found. Third, you need to ensure ongoing care and prevention.
With a security assessment, companies can establish a baseline understanding of their existing security posture and begin to develop an effective long-term strategy for maintaining overall system health and hygiene.
A typical assessment entails several key components:
- Information gathering and documentation relating to an organization’s people, architecture, and technology
- Review and analysis of documents detailing network configuration, topology, policies, and other relevant aspects unique to an organization
- Onsite interviews and inspection with subject matter experts for additional technical and contextual understanding not apparent from documentation reviews alone
- Onsite technical testing to assess and evaluate the cyber security posture of assets
- Offline data analysis and application of best practices methodology to assess risks
- Risk assessment to identify sources of vulnerabilities, determine security posture, prioritize potential risks, and provide remediation roadmap
- A report of the findings that includes recommended mitigations based on prioritized risks
There are many benefits of an assessment.
- In-depth visibility: Discovery of current security posture via a comprehensive report and workbook that maps out the potential risks for each system analyzed
- Actionable results: Immediate security risk remediation as well as long-term financial planning and resource justification with analysis based on leading expertise in the operational technology security field
- Enhanced security: Best practices methodologies identify key risks and dictate necessary strategies for overall improved security posture.
To address the vulnerabilities, you need security solutions purpose-built for industrial and process control environments. Solutions should have a modular platform designed for scale to accommodate complex ICS and SCADA systems and provide full network visibility, control, and protection. And it should interoperate with traditional or next-gem firewalls to provide the right design for your IT-OT security transition zone to best protect your processes and control systems, all without the need for network re-engineering or downtime.
Additionally, industrial customers should expect device manufacturers to certify that their products have passed stringent security assessment throughout the product development lifecycle.
Security cannot be an after thought. Once an assessment’s been completed, with vulnerabilities found and patched, companies can also look to implement new rules and tactics to continue to build upon their game plan for keeping fit. These may include:
- Decreasing the use of commercial off-the-shelf systems that are easier to hack (the cost savings often aren’t worth the risk).
- Forbidding use of personal devices in control rooms.
- Requiring changes to default passwords on equipment.
- Blocking off USB ports (Do you want a USB drive to be the downfall of your operation?)
- Enforcing rules where they already exist.
Human error is one of the leading causes of cyber security risk for any company. A good security hygiene program includes proper security training and awareness. This should include implementing stricter pre-employment screening requirements, enhancing access controls for privileged users, and training programs that encourage dialogue across the organization to raise awareness of cyber security risks.
Risk is everywhere, but it can be reduced by enabling accountability, implementing least privilege access, and regulating sensitive control and data access.
Keeping up security hygiene isn’t easy, but ignoring the fundamentals of cyber security could lead to disastrous outcomes.