- Register

 
 

Home>AUTOMATION>Security>Infosecurity: stop throwing rocks at each other
ARTICLE

Infosecurity: stop throwing rocks at each other

08 May 2013

As GAMBICA forms an Industrial Security Group, one of the main messages coming out of the Infosecurity exhibition last month was how many companies are gearing up more than ever before to address problems on the shop floor, and not just in the IT department. Andy Pye spent two days talking to the cyber-security professionals.

Traditionally, cyber-security companies have focussed on the large corporates, principally financial institutions, government departments, the health service and defence companies, and have metaphorically shrugged their shoulders at any mention of manufacturing, still less of SMEs.

But things are clearly changing. Many of the companies (though not all) I spoke to at this year’s event are much keener to address this market than ever before.

That SCADA and industrial control system vulnerabilities are no secret doesn't make them any less concerning

That SCADA and industrial control system vulnerabilities are no secret doesn't make them any less concerning. Most worrisome is how little headway the power generation and distribution industry has made to secure the machinery so crucial to our civilisation.

There's a gap between SCADA system security technologies and the understanding of risk among those in operations. Simple things, like a lack of patching or antivirus on PCs which run SCADA systems need addressing. Gas, electricity, water and transport systems are vulnerable to malware infection as a result. It's the same type of malware that the bad guys are trying to put on your home PC to steal your banking credentials.

Malware also gets in because of the "porous" interconnection between the control network and the corporate network, staff inserting USB keys into unpatched computers, and contractors connecting their laptop to the network and accidentally unleashing malware into the system. It is not uncommon for a PC controlling a manufacturing cell to be running a very old version of Windows, such as NT or XP without an internet connection.

In addition, thousands of critical SCADA systems reachable from the Internet are secured by dangerously weak default passwords.

SCADA systems are not run by the corporate IT departments in critical infrastructure companies but by the engineering department. The engineering and IT departments need to "stop throwing rocks at each other" and start working together on SCADA systems. Process control systems they are still made out of IT systems and the best practises such as patching and strong passwords need to be applied.

SCADA system owners checklist:

  • Conduct a SCADA security risk assessment, including penetration testing if appropriate, and conduct regular vulnerability testing.
  • Create SCADA security policy, so use a risk-based approached focused on credible threats.
  • Develop governance processes to manage vulnerabilities and actions during security events.
  • Assign SCADA security responsibility, so use line managers and have performance externally audited.
  • Train staff, especially those in engineering who are usually responsible for the operation of SCADA infrastructure, to be security conscious.
  • Legal obligations: ensure you meet your customers' increasingly complex legal obligations for cyber security.
  • Business continuity: plan for the worst (including disaster recovery) and design future SCADA systems with security as a key deliverable.

With a timely intervention, GAMBICA has formed an industrial network security group to identify standards and best practice for members and their customers to help counter the threats of viruses, industrial sabotage and terrorism.

The new group already has 19 members and came about as a result of feedback from other group members suggesting that this is an area of increasing interest to the automation industry.

"I put out a proposal to GAMBIA’s membership and within hours got messages back from about 15 member companies saying they were definitely interested in participating in such a group,” reveals Steve Brambley, deputy director of GAMBICA. "We had an exploratory meeting where it was determined that the industry is interested in spreading best practice among both vendors and their customer base.”

"At some point later in its life, the engineering department may decide it wants to connect some manufacturing cells to get production information out onto the IT network,” add Brambley. "This can introduce vulnerability if the cells are managed by a PC with an old version of Windows that has not been updated."

Cost of cyber breaches rises three-fold, research shows

The cost of cyber breaches has increased three-fold in the past year, according to the latest annual Cyber Security Breaches Survey published by the Department for Business, Innovation and Skills (BIS) and announced at Infosec 2013.

The average cost of the worst breaches for small businesses was £50,000, while for large businesses this was £650,000, with some of the larger breaches costing more than £1m.

Business disruption was the biggest contributor to the cost, with companies taking longer to fix problems, restore systems and investigate breaches.

This report comes as the Technology Strategy Board extends its Innovation Vouchers scheme to allow small and medium enterprises (SMEs) to bid for up to £5,000 from a £500,000 pot to improve their cyber security by bringing in outside expertise. BIS is also publishing guidance to help small businesses put cyber security higher up the agenda and make it part of their normal business risk management procedures.

Cost of cyber breaches rises three-fold, research shows

The cost of cyber breaches has increased three-fold in the past year, according to the latest annual Cyber Security Breaches Survey published by the Department for Business, Innovation and Skills (BIS) and announced at Infosec 2013.

The average cost of the worst breaches for small businesses was £50,000, while for large businesses this was £650,000, with some of the larger breaches costing more than £1m.

Business disruption was the biggest contributor to the cost, with companies taking longer to fix problems, restore systems and investigate breaches.

This report comes as the Technology Strategy Board extends its Innovation Vouchers scheme to allow small and medium enterprises (SMEs) to bid for up to £5,000 from a £500,000 pot to improve their cyber security by bringing in outside expertise. BIS is also publishing guidance to help small businesses put cyber security higher up the agenda and make it part of their normal business risk management procedures.


Key Points

  • There's a gap between SCADA system security technologies and the understanding of risk among those in operations
  • Malware gets in because of the "porous" interconnection between the control network and the corporate network
  • Thousands of critical SCADA systems reachable from the Internet are secured by dangerously weak default passwords

 
OTHER ARTICLES IN THIS SECTION
FEATURED SUPPLIERS
TWITTER FEED