Security requires taking a proactive stance to maintain health and prevent lapses in protection. In the industrial sector, a great place to start is with an assessment of your site security policies to uncover existing weaknesses, map out potential future risks, and recommend mitigation strategies. In a study by the ARC Advisory Group, it is recommended that organizations “focus on cures, not remedies.” As the study reveals, many existing control systems were developed prior to online security being as grave a concern as it is today. And while the need for compensatory controls and frequent patching (remedies) hasn’t gone by the wayside, ARC advises companies to invest more time and energy into developing new strategies that can cure (to the maximum extent possible) the underlying issues.
This is why security hygiene needs to be an organizational priority—and it requires the right game plan. First, emergencies need handling and weaknesses need uncovering. Second, you need a treatment plan for any issues found. Third, you need to ensure ongoing care and prevention. With a security assessment, companies can establish a baseline understanding of their existing security posture and begin to develop an effective long-term strategy for maintaining overall system health and hygiene.
A typical assessment entails several key components:
There are many benefits of an assessment in the discovery of the current security posture. Via a comprehensive report and workbook that maps out the potential risks for each system analyzed, enabling immediate security risk remediation, as well as long-term financial planning and resource justification. Best practices methodologies identify key risks and dictate necessary strategies for overall improved security posture.
To address the vulnerabilities, you need security solutions purpose-built for industrial and process control environments. Solutions should have a modular platform designed for scale to accommodate complex industrial control system (ICS) and SCADA systems and provide full network visibility, control, and protection. It should interoperate with traditional or next-gen firewalls to provide the right design for your IT-OT security transition zone, to best protect your processes and control systems, all without the need for network re-engineering or downtime. Additionally, industrial customers should expect device manufacturers to certify that their products have passed stringent security assessment throughout the product development life cycle.
Security cannot be an afterthought. Once an assessment has been completed, with vulnerabilities found and patched, companies can also look to implement new rules and tactics to continue to build upon their game plan for keeping fit.
These may include:
Human error is one of the leading causes of cybersecurity risk for any company. A good security hygiene program includes proper security training and awareness. This should include implementing stricter pre-employment screening requirements, enhancing access controls for privileged users, and offering training programs that encourage dialogue across the organization to raise awareness of cybersecurity risks.
Risk is everywhere, but it can be reduced by enabling accountability, implementing least privilege access, and regulating sensitive control and data access. Keeping up security hygiene isn’t easy, but ignoring the fundamentals of cybersecurity could lead to disastrous outcomes.
If performance and security are truly to be two sides of the same coin—scaling together positively as enterprises increase their use of intelligent machines and industrial big data—a fresh approach to security is required.