Belden: Raise the Security Bar

Monday, October 7, 2013 @ 04:10 PM gHale

By Gregory Hale
While security awareness is on the rise throughout the industry, the level of security still appears to be rather poor.

“The level of security is so low right now. A bunch of 14-year-olds could bring down a system and they might not realize what they are really doing,” said Dr. Jonathan Butts, assistant professor and chief of the computer science and engineering division at the Air Force Institute of Technology and an active major in the United States Air Force during a cyber security panel discussion today at the 2013 Industrial Ethernet Infrastructure Design Seminar in Philadelphia. “Until we raise the bar for security, we will have a problem. My fear is something bad will happen.”

Belden: Networking at Infancy
Belden Guarantees Network Uptime
Carnegie Mellon Cyber Security Scholarships
Grant to Boost Wireless Security
DoE Awards to Boost Security Tools

In terms of the cost of security and how it applies to the bottom line, there was not real consensus except to say, companies need to make sure they have some type of security and then build from there.

“What is the return on investment? There are no real metrics to tell,” Butts said.

Manufacturers “need to get the ball rolling,” said Michael Glover, chief information officer at system integrator Prime Controls. “They need to just do something. Doing nothing is no longer an option.”

“There is no bottom line in security,” Butts said, “When things are going right, it doesn’t seem like anything is happening, but when things go wrong, then you know it.”

Understanding there is a security issue out there is one part of the battle, but another is knowing what to do when the security football falls into your lap. Just what and where can you go to start learning more about security?

“You really want to trust the experts,” said Michael Schell, global ICS security advisor for industry start up Cylance, a security provider that provides mathematical analysis to detect and prevent attacks. “You need to be very cautious of the people that will tell you what you want to hear.”

One of the other key aspects is to ask the right questions.

The main thing is to find a solution that is the right fit for you, not a solution a vendor has that you have to adjust your organization for,” said Zachary Tudor, program director at SRI Internatonal, an independent research institute that conducts client-sponsored research and development.

“Be wary of the people that will scare you into buying a solution,” Tudor said. “There is a lot of free advice out there; plenty of associations and peers at facilities. But you have to ask questions. Go to a car dealer and say you want transportation, you may end up driving off the lot with a Mack truck.”

All panelists agreed awareness is on the rise, but that is not necessarily followed by money budgeted to help fill the security gap.

There are ways that gap may end up filled.

“We may have legislation coming up that will mandate some type of security, or there may be some major incident that occurs,” Butts said.

“Getting the budget is not the problem,” Schell said. “The consistent budget is the problem.” But, Schell added, once you start asking the user questions and the more they realize just how many assets they have and how unprotected they are, budgeting money will shortly follow.

Things are getting better though.

“From a standpoint of awareness, six month ago some people wouldn’t even talk to me,” Butts said. “One and a half years ago all people would talk about is Stuxnet.”

Just look at what is selling today. Are you seeing more firewalls selling? Glover asked the audience consisting of users, systems integrators and distributors.

“Customers are not totally aware yet. They are getting there,” Glover said.

But even on a tight budget, there are some areas users need to focus on, like monitoring their log files.

“You are talking about situational awareness, understanding what is going on (on your system),” Butts said. “I would spend some money on training employees. A week long training program and people will come back energized.”

Some of the other areas the panelists said need watching are ports, protocols, passwords and permissions. They joked saying anything starting with a letter P needs watching. “Call it the Rule of P,” Tudor said.

The whole panel focused on industrial security, but the idea control engineers having to work with IT also ended up discussed. While the relationship between the two has gotten better over the years, there are still some areas that need smoothing over.

In the end it all comes down to communication.

“My grandfather once told me you don’t know why a man built a fence until you tear it down,” Glover said. “If you can get the IT guys to shut up for a while, they can learn something.”

“You want to create a value for their resume,” Schell said.

Leave a Reply

You must be logged in to post a comment.