Invensys: People Vital Security Measure

Sunday, October 14, 2012 @ 01:10 PM gHale

By Gregory Hale
Technology is vital and so are policies and procedures, but the true backbone behind a solid cyber security profile is the people making sure everything is running as scheduled.

“People are the most important factor in security,” said Paul Forney, chief technologist at Invensys’ R&D security team during Invensys Operations Management’s User Group Series in Anaheim, CA, Thursday. “It takes people. If you don’t change the culture; it is the most important thing. You have policies and procedures; you have technology, but you need the people.”

Invensys: Security ‘Imperative’
Invensys: Alarm Mgt Success
Invensys: Virtualization in Control
Invensys: Security Plan in Action

There are three pillars to ensure true cyber security and they all carry a percentage of importance, Forney said. They are people at 65 percent, policies and procedures at 15 percent and technology at 20 percent.

“It is all about the ROI all wrapped around operational excellence,” Forney said. “Somebody can come in and hack you; it is all about operational excellence. There are some smart hackers out there and if there is one little hole in a firewall, they will find it and exploit it. You can’t put in a solution and then walk away. Security is something you start and keep going. ”

Even in today’s environment where a new attack is just around the corner, there are some organizations that just don’t want to move forward with a comprehensive security program.

“Industrial environments are dangerous; there is some powerful stuff that can happen at a plant,” Forney said. “People say they are air gapped, but 99.9 percent of control systems are connected to the business system, which is connected to the Internet.”

An attacker, he said, has three challenges:
• Gain access to the control system LAN
• Through discovery, gain understanding of the process
• Gain control of the process

Obviously, the security professional’s goal is to hold the attackers at bay and ensure the system stays up and running. But the attack vectors are ever increasing with so many potential types of assaults.

Cyber warfare is just one newer attack, with individual countries firing cyber shots across each others’ bows.

“We now have the Army, Air Force, Navy and Cyber Ninjas,” Forney said.

In addition to cyber warfare, there are plenty of threats out there facing manufacturers from terrorism, disgruntled employees, to extortion and stealing private company assets.

While those issues are very similar to the woes IT professionals deal with on the business enterprise, those looking over the industrial control systems (ICS) need to keep a sharp eye out because the consequences can be much greater.

“We are exposed to the same issues IT has, but we do have different needs,” Forney said. “We don’t use all of IT’s best practices because we do have different needs, like our end points are machines. In the IT world, if there is a problem you lose something on your hard drive. In ICS, you have people hurt. Security has to have specialized equipment, but it can’t slow down the process.”

Forney then showed some objectives security professionals should watch for:
• Prevent unauthorized changes to values in a controller, PLC
• Prevent misrepresentation of process values on the HMI
• Reduce the possibility of a production slowdown due to ICS software
• Protect integrity of process
• Prevent loss of genealogy
• Provide availability and safety

One of the most important things — if not the most important — a security professional should do is to clamp down the network and understand what programs you should run and then turn off everything else, Forney said. No unnecessary programs.

He then added some best ICS practices:
• Maintain the latest patches
• Test every patch
• Always use current antivirus definitions
• Verify update was successfully installed
• Update authorized application software
• Enable network antivirus intrusion protection system
• Enable system policies on all capable network appliances

One other item is to not use or limit the usage of USB devices, unless they have undergone a scanning process that ensures they are virus free. Also, designate a specific machine to use the USB device.

“You should know about everything on your network,” Forney said.

Leave a Reply

You must be logged in to post a comment.