There’s no escaping the push to secure industrial applications. The end of support for Microsoft’s Windows XP operating system is just the latest situation that contributes to the need to make sure that industrial networks have cyber security measures in place.
The challenge is how to go about it. No one wants to be tagged with the responsibility to implement it because the technology can be confusing, the doublespeak from the experts can be frustrating, and the pressure to do something without clear direction or budget from management is commonplace.
If you’re the person tasked with security—and if you're reading this, you probably are—the ambiguity surrounding security for industrial systems has probably struck you already.
Vendors are not offering security like they offer a PLC or drive. There are plenty of experts who can help you, but their approach feels more custom than standardized, and they tell you you’re never completely secure … just more secure than you were before.
One tool in the toolbox to help you improve the cyber resilience of your facility is to leverage the know-how of your company’s IT security experts. Before you start running for the hills at this suggestion, I hope you will read on and find out how this may actually help.
Why IT Are Your Friends When IT Comes to PLC Security
As daunting as solving the industrial systems security puzzle for your facility may seem, a part of the answer has been right in front of you the whole time:
You need to reach out to your friends in the IT department.
While many controls and process engineers have had their struggles working with IT, when it comes to security, they are your most valuable resource.
Strange as it may sound, the security experts in your company’s IT department may be the easiest and fastest route to securing your industrial applications.
IT has been implementing security effectively in the enterprise space for many years. In addition, it is not uncommon for IT professionals to have been trained and certified to apply enterprise security.
IT staff know what security costs, how to implement security, and how to manage it. They understand the buzzwords and keep up with security trends, technologies and products. They have a budget for security and often can include the industrial space in their security deployments.
The Must-Have Guide to Working with IT on Cyber Security
Though the security that IT can provide is very close to what’s needed in the industrial space, you’ll need to provide your newfound friends in IT with some important information before you turn over the responsibility to them. Here’s your step-by-step guide:
Even if it means climbing a mountain, remember that
partnering with IT makes your security load lighter.
They may recommend doing a risk assessment to determine how best to add security. This is a good idea, especially if they agree to keep it simple. Plus, you’ll have an easier time securing your application if you first clean up your networks.
Be sure to insist on the use of industrial switches, routers and physical media. IT typically doesn’t understand your specific needs here, so this is one area in which you’ll need to be actively involved.
Make sure IT understands that, even when sitting in a control room, equipment can be exposed to aspects of the plant environment, such as shock and vibration, electromechanical noise, temperature extremes, and, possibly, chemical exposure.
Also very important is to make sure that the industrial-grade firewalls being reviewed are able to inspect and secure industrial communication protocols, like Modbus, EtherNet/IP and OPC.
Share with them these very important considerations for implementing industrial security:
Get Started on Improved ICS Security Today
I hope I have convinced you that partnering with IT to leverage their security skills and budgethas merit. Trying the tips above does not have much downside as long as you are sure to explain how industrial firewalls and networking priorities are different from those on the enterprise side.
Included below are some materials your IT friends will likely find helpful.
Let me know your thoughts on this approach and how it works out for you.