So you've read a ton of security articles, and it's likely you've noticed a few trends. A lot of what you've read probably provides pretty basic advice — Step 1: Risk assessment. Step 2: Apply the CIA model. Step 3: Follow these rules for good security — while others feature best of breed solutions designed to stand up against hackers' worst.
What's missing: practical advice that hits somewhere between the two, and includes what not to do. Because let's face it — that's just as important.
We've come up with eight bits of advice, along with what to avoid like the plague. Every tip is rooted in experience — whether we'd like to admit it or not — from our work with the government, standards bodies and a large dose of real users. The right advice comes after the wrong for each of our eight zingers.
1. To make a list or not make a list, that is the question...
The wrong advice: Don't work from a list of real, immediate security concerns.
Based on what your new security consultant told you, and the never-ending list of risks Google kindly shared when you searched for "security concerns," it's a small miracle you're not hiding under the desk yet. Good job!
Working from a massive list built by sources that don't know or understand your business might keep you safe, but by the time you're done adding security devices, I'm certain you'll be safe, but you won't be manufacturing anything.
The right advice: Conduct a risk assessment, understand where your priorities are, and turn down the volume of sensationalized security threats. Find the things worth protecting. Include the obvious big things, and try not to be so paranoid that you over think the process by listing a million small concerns.
Part of this process requires you to identify the most likely events that can adversely affect your company's treasure, including: security and non-security issues, such as improper employee practices, safety issues, design issues, mechanical and electrical problems, and power-related issues.
You should also carefully consider and then filter the objective opinions from outside experts with the understanding that they may know security, but they don't know your application or your business like you do. Be sure to give them direction and guidance and their suggestions will be helpful.
2. The 'Scope' of Security
The wrong advice: Just think about network security. By isolating the scope of security efforts to the network, you'll ensure the project is finished on time, and within budget — the rest is up to others.
The right advice: Secure everything that really matters to your company. Production uptime, equipment, products, workers, revenues, and company secrets are all tied to various security platforms, and have different needs.
While many of these can be accessed by a network, it's not the only way in for hackers. The best security for these things uses a model called "defense-in-depth" and recommends the use of layered security, including policy/procedure, computer, network and device security features to make it difficult for someone to breach all layers. We've seen government agencies and standards bodies promote defense-in-depth.
3. Framing the House
The wrong advice: Don't worry about cleaning up your infrastructure first. You've got a mix of network technology, different control vendors' systems, and an ad-hoc cluster of networks that connect to your manufacturing equipment. Just draw a chalk circle around all of it, stick a firewall or two on the edge and you can consider yourself protected.
The right advice: Clean up your infrastructure before you kick-off a security upgrade. In reality, you can secure an ad-hoc set of networks and equipment, but it will be difficult, expensive and limited in its ability to continue to expand and maintain a high level of security. By "cleaning up" the network design and migrating to fewer network technologies, organizations can ensure their Industrial Ethernet networks are properly segmented with subnets and vLANs. Less network variability and a clean infrastructure, mean easier and less expensive security across the entire application, including all of the equipment connected to the network.
4. No Middle Ground
The wrong advice: It's all or nothing. Heads, you implement everything you can find in a grand, complex and expensive security plan. Tails, you do nothing, since the "do everything" plan is overwhelming. Either option puts you out. If you implement all of the security, you pay. If you do nothing and get hacked, you pay. And everything in the middle is a gamble too, given its lack of completeness.
The right advice: Stop thinking in extremes. Adding every security feature around without considering real threats, or getting overwhelmed by complexity are both paralyzing options. Given a reasonable list of priorities, your best move is to do something now, plan in phases and implement strategically.
5. Use it or Lose it
The wrong advice: Don't use what you have. Kicking off a new security program by buying two or three different kinds of antivirus software and installing them all at the same time is an easy way to get some attention from your internal teams. But in reality, all this shows is that you spent a bunch of money and got one small piece of the puzzle right.
The right advice: There are many very effective security measures you can take without spending a bundle, or being so intrusive. If you've segmented your network using subnets and vLANs, then you probably have routers or layer 3 switches that define the subnets and vLANs. Many of these products are loaded with security features, but you'll need to determine if they help your application and turn them on. The same applies to many managed layer 2 switches.
Organizations can also protect important assets with simple, low-tech methods. Jeff Smith of American Axle suggests hardwiring level sensors to prevent tanks from overflowing, and using limit switches to prevent moving objects from travelling too far. These are very simple, inexpensive and effective approaches. This list could go on and on, and includes well-thought updates to policies and procedures like outlawing USB drives unless first screened and updated physical security measures regarding locks and keys. All are simple and nearly free.
6. This Party is Exclusive
The wrong advice: Tell IT to keep out. If you're like most companies, the relationship between production engineering and IT is interesting, if not full-out strained. Even when forced together, the two groups often find they're talking different languages and have separate objectives and metrics for success.
The right advice: IT is you best resource. More than likely, IT has much more advanced security tools and understanding than anyone in manufacturing. While some of the procedures won't be plug-and-play, seriously considering and including their input around the tools they use every day is invaluable.
IT is especially good at providing software tools — look to them for advice on antivirus, white listing and SIEM (Security Information and Event Management) software. Carefully configure their tools for your environment, and know that these tools don't have features specific to industrial applications.
7. Collaboration, the Productivity Killer
The wrong advice: Don't involve stakeholders. Like everything else, when you design-by-committee, it goes poorly. This security committee is no exception, and the number of stakeholders to consider can become staggering very fast. Consider all of the people who actually interact with parts of your manufacturing, including production people, controls engineering, maintenance, IT and management. Add in machine builders and other suppliers too. Since most of them don't have a budget for security, and they all have a pretty diverse set of needs, keep your little security project close and in your group to prevent managing an endless project.
The right advice: Involvement and investment from all stakeholders is critical. While you don't need to involve them in every part of your project, stakeholders help to identify what's worth protecting, and are mandatory invitees when considering the best way to protect assets. Facilitate the conversation by giving the group a list of possible remedies for a particular risk — they'll quickly let you know which remedies will let them to do their jobs, and which will create big problems.
It will surprise you how they reveal important, but unknown parts of their jobs when a remedy that creates a potential disruption is suggested. You'll be a hero by avoiding problems or a goat if you didn't consider asking before implementing.
8. Security is Not a One Trick Pony
The wrong advice: Play for 'one and done.' You've done the risk assessment, paid the consultant, selected solutions and put them in place. Your application is one secure thing of beauty, so you walk away with your arms folded and knock off a little early. Provided no-one changes something tomorrow, you tell yourself that you are perfectly secure and you'll never have to touch this application again.
The right advice: Plan for consistent, ongoing changes and upgrades. If you stand still long enough, even the best security system can be breached. This is one reason why you have to change your passwords on your computer often, and why the TSA randomly changes their procedures. The same principle applies to industrial applications. Consider how to change and add security over time to keep out unwanted guests. Budget for a phased approach to security, periodic reviews and updates as the world continues to evolve.
Brian Oulton is the director of global vertical marketing at Belden Inc.