Security requires taking a proactive stance to maintain health and prevent lapses in protection. In the industrial sector, a great place to start is with an assessment of your site security policies to uncover existing weaknesses, map out potential future risks, and recommend mitigation strategies. In a study by the ARC Advisory Group, it is recommended that organizations “focus on cures, not remedies.” As the study reveals, many existing control systems were developed prior to online security being as grave a concern as it is today. And while the need for compensatory controls and frequent patching (remedies) hasn’t gone by the wayside, ARC advises companies to invest more time and energy into developing new strategies that can cure (to the maximum extent possible) the underlying issues.
Keep it clean: Industrial strength security health
This is why security hygiene needs to be an organizational priority—and it requires the right game plan. First, emergencies need handling and weaknesses need uncovering. Second, you need a treatment plan for any issues found. Third, you need to ensure ongoing care and prevention. With a security assessment, companies can establish a baseline understanding of their existing security posture and begin to develop an effective long-term strategy for maintaining overall system health and hygiene.
A typical assessment entails several key components:
- Information gathering and documentation relating to an organization’s people, architecture, and technology.
- Review and analysis of documents detailing network configuration, topology, policies, and other relevant aspects unique to an organization
- Onsite interviews and inspection with subject matter experts for additional technical and contextual understanding not apparent from documentation reviews alone
- Onsite technical testing to assess and evaluate the cybersecurity posture of assets
- Offline data analysis and application of best practices methodology to assess risks
- Risk assessment to identify sources of vulnerabilities, determine security posture, prioritize potential risks, and provide a remediation roadmap
- A report of the findings that includes recommended mitigations based on prioritized risks
There are many benefits of an assessment in the discovery of the current security posture. Via a comprehensive report and workbook that maps out the potential risks for each system analysed, enabling immediate security risk remediation, as well as long-term financial planning and resource justification. Best practices methodologies identify key risks and dictate necessary strategies for overall improved security posture.
To address the vulnerabilities, you need security solutions purpose-built for industrial and process control environments. Solutions should have a modular platform designed for scale to accommodate complex industrial control system (ICS) and SCADA systems and provide full network visibility, control, and protection. It should interoperate with traditional or next-gen firewalls to provide the right design for your IT-OT security transition zone, to best protect your processes and control systems, all without the need for network re-engineering or downtime. Additionally, industrial customers should expect device manufacturers to certify that their products have passed stringent security assessment throughout the product development life cycle.
Security cannot be an afterthought. Once an assessment has been completed, with vulnerabilities found and patched, companies can also look to implement new rules and tactics to continue to build upon their game plan for keeping fit.
These may include:
- Decreasing the use of commercial off-the-shelf systems that are easier to hack (the cost savings often aren’t worth the risk)
- Forbidding use of personal devices in control rooms
- Requiring changes to default passwords on equipment
- Blocking off USB ports (Do you want a USB drive to be the downfall of your operation?)
- Enforcing rules where they already exist
Human error is one of the leading causes of cybersecurity risk for any company. A good security hygiene program includes proper security training and awareness. This should include implementing stricter pre-employment screening requirements, enhancing access controls for privileged users, and offering training programs that encourage dialogue across the organization to raise awareness of cybersecurity risks.
Risk is everywhere, but it can be reduced by enabling accountability, implementing least privilege access, and regulating sensitive control and data access. Keeping up security hygiene isn’t easy, but ignoring the fundamentals of cybersecurity could lead to disastrous outcomes.