What are the most common ways plant security is breached and what are the most effective ways to prevent them?
Larry Griffin | Intranet Manager - PSS
While I don’t think there is a universal answer for this concern, in my opinion most DeltaV systems are the most vulnerable in the area of removable media. A common thought is that if I’ve got anti-virus software installed, I’ll be OK. But there is too much reliance placed upon the anti-virus software. The zero-day exploits, (those which take advantage of some new issue for which there is not yet detection or patch software available) should always be guarded against. You can only do that by carefully controlling the physical media access and network access to the system. Again, the anti-virus package can only stop known issues.
If you do have the need to move electronic media, dedicated devices, between systems you control, is the safest way to go. General purpose devices that might have been exposed to a machine that is perhaps used to download other software from the Internet, or is used on systems that are less guarded should be avoided.
Overall, you really need to do a risk assessment for any specific system to discover what should be done to secure the system. You will have to prioritize as you’ll probably find that you can’t do everything. But the assessment will focus your effort on the highest priorities.
There is 2 ways how to mitigate issues. First one is described by Randy - SW+HW+on-line supervision ( any kind of "reactive" activity - you solve konwn issues. I always put on the same important level second one - to build safety culture - every employee / supplier step done on system security side has to be done / implement in safe manners ( trainings, refreshing known things, and security audits - this topic touches also Randy in the last paragraph. Second way is more preventive / proactive.
In reply to Radomir Pistek:
Radomir raises good points with the safety culture side of things. In a post, With Security Comes Different Points of View, another consideration is the different points of view the operations organization can have from the IT organization. Bob shares the different frames of reference:
From the automation point of view, robust operation and availability is paramount. For the IT organization, being current on the latest patches, virus scan data files, etc. is critical. Even simple things such as screen saver locks can trigger quite opposing views. For example, if an operator gets locked out and can’t immediately address a plant alarm condition, the results can be very different than if an accounts payable professional gets locked out from their workstation.
Have a safety culture and clearly defining roles and boundaries is important in a cyber-security program.
In reply to Jim Cahill:
I highlighted a nice risk assessment model presented by Randy Pratt and Greg Stephens at the recent Emerson Exchange in today's blog post, Cyber Security Risk Assessment Model.