HUG: Security Plan a Must

Wednesday, June 13, 2012 @ 01:06 PM gHale

By Gregory Hale
Control systems are getting more sophisticated these days, there is no doubt about that, but cyber attacks are becoming more prevalent every day.

“Cyber security cannot be an afterthought,” said Gregory A. Rogers, PE, senior manager, control engineering at Enterprise Products during his Wednesday keynote address at the Honeywell Users Group (HUG) 2012 in Phoenix, AZ. “Management is starting to become more aware. There are differences between IT and control systems. Availability is more important.”

HUG: IT Solutions Group Forms
HUG: Next Gen Technology
FBI Frets Switch to IPv6
Most Not Ready for New Net Protocol

Rogers gave a good basic rundown of what a company should do to achieve a basic level of security. He said current technologies used in the IT environment today can apply to industrial control systems (ICS), but keeping that in mind, users should be aware of:
• Legacy systems
• Bandwidth limitations
• Remembering availability is a priority
• Ensure vendor compatibility

“Downtime due to a cyber security event is unacceptable,” Rogers said. “A simple incident can cost millions of dollars. Platforms used to be isolated and now they aren’t; that makes us more vulnerable to attacks. You have to make sure you are aware of your vulnerabilities”

Learning about vulnerabilities is not an easy endeavor. Part of the issue is you have to get management of sign off on the decision to create a security plan.

An efficient cyber security plan, Rogers said, means you have a good basic understanding of your system. He said what they follow at Enterprise Products is the 4 P’s: Policies, Priorities, Practices, and Personnel.

“All executives have to sign off on our policy,” Rogers said. Having support from the top down is very important.

That support level is vital, but so is the idea of making our policies enforceable. Users also have to review a security plan at least annually.

On the priority front, users need to know their attack vectors; know the risk; identify all hardware and software in your system; develop a risk management matrix to assist with planning and implementation of a security management platform, and establish a revenue and loss of an attack plan.

When it comes to practices, Rogers said intrusion detection and security information event management (SIEM) are the norm, but you also have to create a defense in depth posture. In addition, users have to use modern network tools and mitigation procedures to create network layers like firewalls. “Firewalls allow you to control the traffic,” Rogers said.

Part of implementing practices is a defense in depth, which means using different approaches and technologies that can stop or severely delay an accidental or malicious attack.

One concept is using whitelisting, where the user lists the applications it will allow the system to recognize. All others are not allowed. Whitelisting is a solid platform, but not the only answer.

“We just don’t rely on whitelisting,” Rogers said. ‘We use blacklisting, antivirus… You just can’t do patch management and say you are secure. As you use cyber security, think about independent protection layers.”

One of the major factors of a security plan is the human factor.

“You have to create a culture of cyber security,” Rogers said. “Training and expertise of staff will minimize events.

When it comes to security, Rogers said “It isn’t a matter of if you will suffer an attack, it is when you will. If you leave the back door open, and someone will come in.”

One Response to “HUG: Security Plan a Must”

  1. the SCADAhacker says:

    If they are using IDS and SIEM within the ICS networks (not just at the conduits on the perimeter), the folks at Enterprise Products should present a paper at many more of the leading ICS security conferences!

    Few companies are implementing appropriate “detection” tools below the inside firewalls to monitor traffic on this highly vulnerable ICS networks. It would be great to hear his views on this. In addition, it would be particularly interesting to hear his position on SIEM event collection when Honeywell does not typically allow you to install traditional syslog agents on their nodes hindering the ability to report and consolidate “system-wide” event log information.

Leave a Reply

You must be logged in to post a comment.