Yokogawa: Back to Basics

Wednesday, October 5, 2016 @ 09:10 AM gHale

By Gregory Hale
Security is all about understanding the basics and using that has a foundation, but users often become blinded by the bright shiny objects.

“If you fulfill the basic sense of security, you don’t have to worry about attacks,” said Graham Speake, CISO at Berkana Resources Corp. during his talk Tuesday entitled, “Improve Cybersecurity: Getting the Basics Right” at the Yokogawa Users Conference and Exhibition in Orlando, FL.

Yokogawa: Attack of the Drones
Yokogawa: Secure by Design
Network Visibility with New Platform
ICSJWG: Security in Perspective

People working within the security area sometimes fall into what Speake calls the BSOS area, which stands for Bright Shiny Objects Syndrome.

“Vendors come up with shiny new technology, but do you really need it? Our brains do not want to do the everyday documentation,” he said. “Everything gets waylaid by bright shiny objects. We need to do the basics.”

He listed the basics as:
• Inventory
• Training/awareness
• Network segmentation
• Patching/upgrades
• Antivirus
• Authentication
• IT-OT integration

“We do these basics wrong time and time again,” he said.

When it comes to inventory, Speake simply said, “Know what you have. I haven’t been anywhere where (the user) knows what they have.”

He talked about one incident where he was working on a project and he was about to pull out some equipment and the user said everything had been turned off, but lights were still running. They customer thought everything was turned off, but they did not know why the product was still lit and they had no idea what it was.

“Know what you have got and know what it is doing,” Speake said. “If you don’t know all of this basic information, you haven’t got a clue.”

Having a clue means you:
• Know what you have
• Where you have it
• What it is doing
• When it is doing it
• Document it

The problem this one customer had, Speake said, is they didn’t document anything and that ends up being a big time consuming task to go back in and take an inventory of everything the customer is using.

Inventory basics includes optimizing firewalls. In one case, it took 4 to 5 weeks to optimize a firewall when it should have taken three days.

The goal with training when it comes to security is to make sure everyone is on the same page which means empowerment.

Users need to think and employ security from the ground up, people will often bypass technology, but they need to equate security with safety.

In terms of bypassing technology, at one manufacturer Speake found one example where the user had a secure system with a long password, but the problem is the user name and password with administrative privileges for all the computers was written in huge letters on a white board for everyone to see.

“Anybody could see it. Cleaners could come into the control room and they see it. They could be susceptible to bribery.”

Network Segmentation
We are getting better at network segmentation. “Don’t put everything on the same network, especially the business network. You need to segment your network. It is what you have to do. You have to segment our networks so you can isolate a problem,” he said.

Some ways to segment networks is to understand and follow the IEC 62443 standard, understand and protect your critical assets and include firewalls and VPNs.

When it comes to patching and upgrading, Speake said, users need to do a risk evaluation and understand when they have to mitigate. Understand the cost versus risk model. In quite a few industries, it is not possible to shut down the system and do every patch that comes along. So a user needs to weigh the risk of running the process without applying the patch compared to the benefits of continuing the operation. There are some companies that can run years without patching.

Keep all antivirus programs up to date. With antivirus, Speake also included whitelisting. The difference between the two programs is whitelisting has a specific list of what can be included to run through a system and everything else is not allowed. While antivirus has a list of known malware. It can recognize known malware and stop it and allow everything else through.

Whitelisting is great for the manufacturing automation sector, but the problem is it is difficult to install and maintain. So, unless the user is committed to maintaining the whitelisting program, Speake said it could be too much to handle and it would not be effective.

The user needs to ensure the validity of the people and their actions; understand and segment duties while allowing actions but understand who is doing what and where and when they are doing the action. If someone is logging on to the system at 3 a.m. when they usually work during the day, it might be a sign a user name and password ended up stolen and someone is attacking.

IT-OT Integration
This is becoming a huge issue, and Speake feels the two sides should get along much better than they have been over the years. Traditionally, the IT side of the office would focus on the confidentiality of security while the OT side needed availability. With that conflict the two sides would clash. What is at issue, though, is IT has been dealing with security for decades, while the OT side is just learning.

“We need to share knowledge,” he said. “Let’s get the IT people in to work together. Do not put up big barriers and say I am not going to talk to them. If you let the engineers do it, we will do it, but it will suck. Share the knowledge.”