Cybersecurity is a key concern for many companies. With practically every organization guarding proprietary information or strategic plans, there’s a great need to implement safeguards and make sure employees are well-versed in doing their part to protect sensitive information and valuable equipment.
In this blog post, we’ll discuss a few considerations for building a security strategy for your industrial control system (or ICS).
Think about the last time you set up a password outside of work. There’s a reason why you didn’t (we hope) bust out a 1234, the classic “qwerty,” or something involving just your initials.
Those password guidelines that you see with a bunch of requirements? They’re not there to annoy you with their “weak” to “strong” password assessments – they’re meant to help you choose something that would be difficult to guess by someone you don’t want accessing your account.
In a Defense-in-Depth strategy, this would be an initial layer of security. The next layer might provide you with a token or code that you’d need to input to verify your identity. Another layer could ask you to remind them of the model of your first car – or better yet, have you answer a question you wrote yourself.
The idea behind a multi-layered security strategy is to ensure potential threats to your account will be challenged repeatedly (though ideally they won’t make it past your ironclad password, of course).
Now, isn’t that approach one you’d like to implement to protect your industrial control system?
There’s a number of elements involved in securing your industrial control system and the equipment surrounding it. Today, we’ll focus on machines, the network, and devices that may be used for remote access of the ICS.
An effective security strategy needs to address both internal and external threats.
By internal threats, we don’t necessarily mean actions taken with malicious intent. Instead, there’s human error or shortcuts taken that can make your ICS more vulnerable. If a process isn’t followed for machine maintenance or remote access, there could be unintended consequences.
For machine updates and maintenance, you may want documented processes for system shutdowns, the secure avenues through which systems can be updated, and details required for activity logs. You can further protect equipment by using a virtual lockout-tagout procedure to control access for employees or outside vendors.
If some of your equipment is maintained by an outside vendor, you may also opt to take steps to ensure their network access is restricted to only a specific area (the machine network). This is especially key for vendors who are accessing the system remotely, as you don’t know the precautions they have taken on the machine through which they’re accessing your equipment. You can isolate their work on your equipment with the use of a remote access gateway that supports onetime-use tunnels. This will ensure the vendor’s access to your equipment ends as soon as the task is complete.
You’ll likely want to make sure employees’ workstations are kept updated, with virus scans administered at agreed-upon intervals. Periodic trainings can ensure employees hear about email-, phone-, or social media-based tactics that hackers can use to gain information and access to computers or company information. With many teams working remotely during the COVID-19 pandemic, secure access to systems has been a must for companies around the world. Make sure employees have a secure, private Internet connection at home, and you may want to have them connect to a secure Virtual Private Network (VPN) as well. Ideally, have them use password-protected and company-supplied equipment for their remote work.
For remote access to your on-site equipment, you’ll want to evaluate solutions intended for industrial equipment. Your cloud-native remote access solution should ideally support onetime-use tunnels and forgo user-installed software, a prime entry point for hackers. Look for Defense-in-Depth features such as advanced two-factor authentication and single sign-on support. Since your employees will be able to monitor and troubleshoot your equipment through this service, selecting a secure solution is essential.
If you’re wondering which processes are needed for your company, reach out to a trusted expert or cybersecurity firm focused on industrial applications.
The success of your security strategy ultimately comes down to documentation, training, and ongoing dialogue about safeguards and warning signs.
You’ll need to document the processes involved for your control systems, other equipment, your network, and on-site and remote desktops – as well as determine usage rights for outside vendors who only need to access certain parts of your facility. If your employees use either work-issued or personal devices to access work remotely, they need to know how to connect to the VPN (if applicable), and be prepared to have any devices wiped if they’re misplaced or stolen.
It’s important to review these processes regularly with your IT team to ensure new guidelines or technologies that could help are reflected. This documentation and regular review process can also help when circumstances arise requiring a quick response (such as the COVID-19 pandemic).
Regular training for your employees about common tactics used by hackers can help them better identify phish-y emails – and make them aware of new warning signs. Those reminders can make the difference between someone recognizing an odd sender address and flagging it for IT, or thinking nothing of it when receiving an unexpected attachment. Make sure they know who to contact about such emails, and how to share the information (for instance, via a screengrab image instead of forwarding on the information).
Having these processes in place – and communicating them regularly – is a key way to ensure your security plan isn’t created in a vacuum. A successful strategy rests on everyone on your team knowing the processes and doing their part to maintain your application’s security.