Industrial Security IS the hot topic today. No one denies that the threats are out there. Further, management was probably right in deciding to assign the task and ask you to figure it out, come up with a plan and protect the company from… well, they didn’t say.
All the while, you know you’ve got little to no budget and the mandate to keep production running if and when you put your plan into action. After a few conversations, you’re pretty sure that you can’t afford the 3rd party risk assessment from the consultants you talked with, and you’re even more certain you can’t afford the plans they hinted at laying out for you.
But you can’t afford to do nothing! Instead, try this zero cost industrial security risk assessment. While it isn’t for everyone, it may be just what you need. We guarantee it is more effective than doing nothing, and taking action here may just help your company avoid some serious security incidents.
The kind of assessment we’re describing below is a great place to begin, it is easy and can be effective in making you and your company more secure. Please remember that no security measures are 100% foolproof, and the best security requires that you monitor, evaluate and improve your plans regularly.
1. Determine Who Should Help with the Assessment
You’ll need the different perspectives that come from working with a few others who don’t see your business from the same viewpoint as you. You’ll also need to keep the entire group thinking as objectively as possible during a few of the steps.
If you have the budget to bring in outside help here, look for the perspective and objectivity from them as well. Consider a person from each type of job that works with your company’s equipment and systems, along with IT, an executive, and an outsider if possible.
You can decide when to involve the whole group and when to limit the activities to just a few, provided you get everyone’s objective input and insight.
This is a good exercise for the group to brainstorm. For a moment, put security out of your mind and simply create a list of the most critical assets that your company must protect in order to continue to be successful.
These don’t need to be the most expensive machines or the highest paid employees. Instead, they may include:
• machinery that is commonly the critical path in production,
• a few workers with skills you can’t do without for even 1 day,
• the business system that keeps raw materials, finished product and orders flowing,
• or the secret recipe that is at the core of making your most valued product.
Key questions to ask are:
• What’s most important to maintain production around here?
• What is important and a bit “vulnerable”?
• If you were paid only on your ability to keep our company producing, what would keep you up at night?
3. Prioritize and List the Largest Risks for Each Asset
Those risks may include non-security related things. For example, key employees may become ill, injured, or leave the company for another job. Key pieces of equipment may be more at risk from the unintended actions of poorly trained employees. Pieces of the business system may be more vulnerable to fail during power surges or outages that seem to occur all too often. And for some, you’re likely to list security as a valid concern.
We suggest you find ways to address each of the highest priority non-security related items on your list, but will focus on those with security as a potential risk for the remainder of this article. Before leaving the list of assets that didn’t seem to have an associated security risk to another team of fix-it specialists, go through the list again.
For this pass, be sure to get the most diverse and critical input as possible, and ask the group what kinds of security issues might exist for each asset on the list. Be sure to ask, “What SHOULD we be afraid of?” If the answers you’re getting are possible and even remotely plausible, then put that asset on the “security” list.
4. Prioritize the List of Industrial Security Assets
Base this on:
• how easy is it to access and affect the asset (you might ask for some outside help here)
• how long would the asset and/or production be unavailable if this happened
• how likely would someone either want to maliciously affect this asset or would breech security for good reason, but with accidental consequences to the asset.
You can make a simple chart to record & score these.
5. Determine and Rate Existing Protection Measures
Determine what current security mechanisms, actions, policies and procedures are protecting each asset. Objectively, determine how effective they are.
Once complete, you have everything you need to create a practical, affordable and effective security plan. You have a reasonable list of assets that need protection, and a prioritized list of potential security vulnerabilities for each.
In addition, you’ve got a list of non-security issues that you can use to justify the value & priority of your security needs. If you’ve involved executive management from the start, you’ve paved the way for management support and hopefully budget for the actions you’ll need to take. And since you’ve involved others from different roles, you’ve got a chance to put something in place that everyone can live with.
Your next steps are to determine how many of those high priority assets to protect and how to protect them. If the list is long and you’re not sure how to get it all done, plan on a phased approach and secure the first or most vulnerable set of assets on your list in phase 1.
Finally, if you’re not sure how to put the most effective protection in place, there are resources such as the industrial security professionals in our company to draw upon.
Let me know if this easy industrial security risk assessment is helpful, or if you have other tips to share.
Another approach to risk assessment and additional guidance on industrial security is provided in the white paper below.
• Automationworld On Demand Webinar: Industrial Security in the Real World: Practical Steps
• Blog: SCADA Security: Justifying the Investment
• Blog: SCADA Security Basics: Why are PLCS so Insecure?
• Webpage: Belden Security Solutions
• Tofinosecurity.com blog: 7 Steps to ICS and SCADA Security plus White Paper