Jeff Smith of American Axle & Manufacturing (AAM) is a guru in the world of industrial Ethernet networking and ICS Security. We were fortunate to have him speak again at the 2013 Belden Industrial Ethernet Infrastructure Design Seminar.
In a previous article I outlined the reasons AAM decided to move to Ethernet/IP communications and how they implemented best practices such as standardized segmented network configurations. Today I am going to write about Jeff's approach to ICS security.
Jeff opened his remarks by saying no one wants to spend money on security. However, he feels that that is the wrong question. What you should be asking is:
"How much do I need to spend to feel comfortable with the risk?"
To answer this he suggested you assess your current security posture and then define the objectives for improving that posture.
In the case of AAM they decided on the following four priority areas:
- Removing PCs from the manufacturing network. Put them on the enterprise network where possible.
- Isolating PCs at the edge of the network and implement a firewall with Deep Packet Inspection and VPN capabilities to connect them to the manufacturing network.
Jeff's graphic above highlights his point of view on this topic. For AAM this strategy disallows dual homed machines, including removing the NIC that connected the PC to the fieldbus.
After establishing your priority objectives, you then need to implement solutions. At the presentation Jeff demo'ed the AAM remote access system and provided AAM standard network diagrams.
Jeff's Deep Thoughts on ICS Security
What I really liked about Jeff's talk was his emphasis on having the proper perspective on ICS security. He described it as "deep thoughts" spoofing the SNL "Deep Thoughts with Jack Handy" skits, and they are applicable to end users, suppliers and integrators alike. Here they are some of them:
(here is information about one such device)
When you hear Jeff talk about security it seems to be straight forward and practical. That's something to keep in mind as you deal with the real-world challenges of learning new technology while still getting your day job done, changing how you do things, and influencing your organization to move in the right direction.
Just keep remembering that security does not have to be complicated. As Jeff says:
"Do something, a little today and more tomorrow. Eat that elephant one bite at a time."
How have you helped move your organization towards better cyber security practices? Let us know your keys to success.