There’s no escaping the push to secure industrial applications. The end of support for Microsoft’s Windows XP operating system is just the latest situation that contributes to the need to make sure that industrial networks have cyber security measures in place.
The challenge is how to go about it. No one wants to be tagged with the responsibility to implement it because the technology can be confusing, the doublespeak from the experts can be frustrating, and the pressure to do something without clear direction or budget from management is commonplace.
If you’re the person tasked with security—and if you're reading this, you probably are—the ambiguity surrounding security for industrial systems has probably struck you already.
Vendors are not offering security like they offer a PLC or drive. There are plenty of experts who can help you, but their approach feels more custom than standardized, and they tell you you’re never completely secure … just more secure than you were before.
One tool in the toolbox to help you improve the cyber resilience of your facility is to leverage the know-how of your company’s IT security experts. Before you start running for the hills at this suggestion, I hope you will read on and find out how this may actually help.
Why IT Are Your Friends When IT Comes to PLC Security
As daunting as solving the industrial systems security puzzle for your facility may seem, a part of the answer has been right in front of you the whole time:
You need to reach out to your friends in the IT department.
While many controls and process engineers have had their struggles working with IT, when it comes to security, they are your most valuable resource.
Strange as it may sound, the security experts in your company’s IT department may be the easiest and fastest route to securing your industrial applications.
IT has been implementing security effectively in the enterprise space for many years. In addition, it is not uncommon for IT professionals to have been trained and certified to apply enterprise security.
IT staff know what security costs, how to implement security, and how to manage it. They understand the buzzwords and keep up with security trends, technologies and products. They have a budget for security and often can include the industrial space in their security deployments.
The Must-Have Guide to Working with IT on Cyber Security
Though the security that IT can provide is very close to what’s needed in the industrial space, you’ll need to provide your newfound friends in IT with some important information before you turn over the responsibility to them. Here’s your step-by-step guide:
- Repair any bridges you may have burned previously with your IT contact.
- Find out who handles computer and network security at your company, get an introduction from your friend, and meet with them.
- Ask them about the kinds of things they do currently to provide security. Regardless of whether they blow you away with technological sophistication or humbly list a few things, like providing antivirus, password authentication and a perimeter firewall, you should acknowledge, respect and compliment their efforts and abilities.
- Ask if they are willing and able to extend their security further into your production area. Be prepared to work through any hesitation on their part to gain their support. Even if it means climbing a mountain, remember that having them carry the security load will be way easier than doing it yourself.
Even if it means climbing a mountain, remember that
partnering with IT makes your security load lighter.
They may recommend doing a risk assessment to determine how best to add security. This is a good idea, especially if they agree to keep it simple. Plus, you’ll have an easier time securing your application if you first clean up your networks.
Be sure to insist on the use of industrial switches, routers and physical media. IT typically doesn’t understand your specific needs here, so this is one area in which you’ll need to be actively involved.
Make sure IT understands that, even when sitting in a control room, equipment can be exposed to aspects of the plant environment, such as shock and vibration, electromechanical noise, temperature extremes, and, possibly, chemical exposure.
Also very important is to make sure that the industrial-grade firewalls being reviewed are able to inspect and secure industrial communication protocols, like Modbus, EtherNet/IP and OPC.
Share with them these very important considerations for implementing industrial security:
- IT’s standard PC antivirus and authentication approaches are fine.
- IT’s enterprise-style of patch management can’t be automatically deployed on the plant floor. Instead, it needs to be planned and scheduled to ensure they don’t download a patch and reboot a plant floor computer in the middle of production. Also, you’ll probably need to test the computer’s applications after applying patches and maintain the ability to roll back the computer if there are problems.
- IT knows little about PLCs, DCSs and drives, so you’ll need to ensure those devices are appropriately secure yourself. Appropriate steps include setting their passwords, locking or disabling unused ports on the devices, and ensuring that the networks and other connections to them are secure.
Get Started on Improved ICS Security Today
I hope I have convinced you that partnering with IT to leverage their security skills and budgethas merit. Trying the tips above does not have much downside as long as you are sure to explain how industrial firewalls and networking priorities are different from those on the enterprise side.
Included below are some materials your IT friends will likely find helpful.
Let me know your thoughts on this approach and how it works out for you.
- Blog: SCADA Security Basics: Why are PLCs so Insecure?
- Blog: SCADA Security Basics: Why Industrial Networks are Different than IT Networks
- Blog: Industrial Networking: Easy Security Risk Assessment
- Blog: Why Patching for SCADA and ICS Security is a Broken Model
- Webpage: Tofino Security Appliance
- Brochure: Leading Networking Solutions for Industrial & Mission Critical Applications
- Capabilities Bulletin: Bonded-Pair Cables Ensure More Robust Performance and More Peace of Mind