Every day, there are new headlines proclaiming the current global malware spreading (fill in the current virus name here) is the “largest ever” and that despite any protections employed, multimillion-dollar cyber-criminal organizations are working very hard to get to our assets. The good news here is that each new revelation makes us re-think whether our systems are fully protected from these attacks. But are external attacks the leading way that our systems get infected? No! You might be surprised to learn that most malware infections originate internally, whether intentional or accidental, coming from the people that interface with internal systems.
No matter who you are or what your job title is, YOU are an integral part of the cybersecurity protection at your site. The very moment that you pass through the front gate, your cyber-related actions could possibly lead to the compromise of your site’s cyber-protection strategy. Human error is responsible for some of the worst data breaches on record and, because of a lack of cybersecurity awareness, organizations are risking their reputation, customer trust, and potentially their bottom lines when employees mishandle data.
Your site has an extensive collection of cybersecurity policies and procedures that have been designed to maximize the cyber-protection of systems at your site. Every person who walks through the front gate must be aware of these policies and procedures whether they touch the process control system at all. The following topics are some key elements to focus on in support of your site’s cybersecurity protection elements.
- Spear-phishing or phishing
- All it takes is one employee to take the bait that could lead to a compromise of your entire operation.
- Phishing schemes are one of the most prevalent methods that cybercriminals use to target businesses via employees.
- Phishing involves the collection of sensitive information (i.e. login credentials, etc.) through a legitimate-looking (but ultimately counterfeit) website.
- Train your employees to recognize common cybercrime and information security risks, including social engineering, online fraud, phishing and web-browsing risks.
- Be aware that phishing can come in the form of a phone call.
- Recognizing a phishing e-mail:
- The message asks for personal information
- The e-mail is presenting an offer that seems too good to be true
- Be immediately suspicious if the email has a Zip file attachment
- Any e-mail conveying “urgency” and requiring you to act quickly
- Posting your information on social media
- Communicate employee policies and guidelines on social media and the dangers of using a company email address or computer to login to social media.
- Posting too much personal information on social media can open the door for people to easily access information that can be used to take advantage of your confidence.
- Indiscreet use of a USB stick
- A hacker can plant devices (i.e. USB storage sticks) containing malicious code that will run automatically upon insertion into a computer. The hacker is hoping that an employee will find them (maybe in the parking lot) and plug into the system out of curiosity.
- Even if the origin of a device is known, it may have contracted a virus from interacting with an outside network (i.e. even your home network) and therefore should be used with care.
- Employee training on their role in cybersecurity protection
- Continually emphasize the critical nature of malware infections and the responsibility of each employee to protect company data.
- You and your employees may also have legal and regulatory obligations to respect and protect the privacy of information and its integrity and confidentiality.
- Training needs to happen before there’s a problem and must include scheduled refresher training.
- Lock computers (laptops as well as desktops) when you are not around.
- Utilize screensavers to auto-lock applications when computer use has ceased.
- Make your employees aware that they are not allowed to install software (licensed or unlicensed) on any company computer. Better yet, restrict this permission to only managers or your IT department.
- Unlicensed software downloads could make your company susceptible to malicious software downloads that can attack and corrupt your company’s systems and data.
- For guidance on password security, read my previous blog, “DeltaV Secure Passwords: The Do’s and Don’ts.”
Make cybersecurity a part of your site’s culture. Remember that a protected system is only as strong as the weakest link and cybersecurity is everyone’s responsibility.
Contact your local Emerson Sales or Service Representative and request the latest DeltaV Security Manual, an important cybersecurity manual for the full best practice recommendations for security for DeltaV process control systems. It is also available under the Resources page within Guardian Support web portal.