Summit: Security Best Practices

Wednesday, June 26, 2013 @ 08:06 PM gHale

By Gregory Hale
Sometimes starting is the hardest part, but when it comes to cyber security you have to know where to begin to truly understand how to protect a system.

“You need to start with your devices and see what you have,” said Marc Ayala, ICS/SCADA security manager at Cimation, during the Wednesday panel discussion on Best Practices for Industrial Security at the 2013 Siemens Automaton Summit in New Orleans. “If you have an inventory of your systems that would be great, but not a lot of people have that.”

Summit: Safety System Lessons Learned
Summit: Hacking Via YouTube
Phishing Attacks Keep Growing
Costs of Breaches Up Globally

One of the problems when starting off with an assessment of your system is quite a few people look at the assessment as an IT situation compared to a manufacturing automation issue.

“A lot approach this from an IT structure and they don’t have any expertise in control systems,” said Keith Jones, president of integrator Prism Systems.

There are a few variables to look at before taking that assessment.

“First off, is it a greenfield or a brownfield site? Roger Hill, manager of industrial security R&D at Siemens asked. “If it is a brownfield site what is your appetite for risk and do you understand what you can do?”

Chris Da Costa, cyber security manager for global operations for Air Products and Chemicals looked at the issue a bit differently.

“As an end user you need to understand what kind of threats you are facing,” Da Costa said. “You also need to know the vulnerabilities you have in your system. You need to take a standards-based approach because the standards out there are very good. The problem is if you give an engineer a problem, he will want to solve it. Use the standards so you don’t go and reinvent the wheel.”

In making an assessment everyone has to be on the same page.

Awareness of the people in the trenches is important so they know what they need to do,” said Jeff Sibley, research scientist at Dow Chemical.

On top of that, “you want to have a focal point behind cyber. It can’t be the third or fourth part of a job. You really need a champion,” Da Costa said.

After you get past the assessment stage, the panelists said they have seen quite a few manufacturers out there and the situation, generally speaking, is not pretty.

“There are very few industrial sites in the U.S. that are secure,” Jones said. “If you are running smoothly, then you will most likely be OK. But if you are not and you have a contractor come in, they can just plug right into a system and that presents a problem.”

Ayala agreed.

“Mobile workers can get into the flat networks quite a few manufacturers employ and they can read their emails and plug into a PLC,” he said.

“You need layers of protection,” Da Costa said. “It is not a matter of if, it more like when. Five years ago it would have been a different story.”

Today’s attacks don’t just go in and try to crash a system. To the contrary, attackers want to go into a system and keep it up and running so they can steal as much intellectual property (IP) as possible – without leaving a trace.

“You have recipes and information they may not want to shut you down,” Ayala said. “They want your IP. Once they have that, they can go to your customers with the same processes but lower costs.”

When the fast-paced lively discussion ended, the best summary came from Jones who said: “Having a long term plan is great, but do the little things first. Fix the easy things early and you will get a little bit more secure.”

Leave a Reply

You must be logged in to post a comment.