By Gregory Hale
Standards offer a solid framework to ensure a secure manufacturing automation environment that helps cut out as much unplanned downtime as possible, but the end user needs to be as “aggressive as the hackers.”
“Cyber security is not a project, every site need a security management system,” said Gary Williams, senior director, cyber security at Schneider Electric during his talk in the Wednesday keynote at Connect 2016 in New Orleans, LA.
Along those lines, he said, there are two methods to secure any system: A 10-step methodology or the zones and conduits approach.
For the 10-step approach, Williams said, you have to adopt a standard.
“It doesn’t matter what the standard is, although we have adopted the IEC 62443 standard,” Williams said. “No matter the standard, it gives you a common language.”
The second step is to gather the controls that pertain to your environment. There are standards that have multiple aspects to them and people will say there are parts that don’t pertain to my environment. “That is fine,” Williams said, “just pick the ones that work for you.”
The third step is to do a gap analysis to learn your system.
After that gap analysis, Williams said the next step is to to a risk and threat analysis. “One problem is people will mitigate the critical issue, but they don’t go back to review it until it is totally mitigated and that could take about a year,” Williams said. “You should review it every quarter.”
The next step would be to execute the mitigation and then to survey the system and gather configuration files.
The next move is to store the configuration files and you should store them offsite in a secure environment and then onsite.
The next step is to inform all stakeholders. “Everyone has to keep in mind, this is not a project, it is an evolution,” he said.
The next step is to verify regularly. “Attacks are different. What worked today may not work tomorrow,” he said.
The final step, Williams said, is the most important and that is to educate. “The engineers in the control room are you first line of defense. If they can find the issue, they can mitigate it and then call in the experts.” But that does not happen unless they have a good understanding of what the security plan is all about and what they should be looking for. They don’t have to be experts, but they can hold off an attack before it escalates into something bigger.
When it is all said and done, Williams called the 10-step method his AGGRESSIVE approach, which stands for Adopt, Gather, Gap, Risk, Execute, Survey, Store, Inform, Verify and Educate.
The other methodology is to follow a part of the IEC 62443 standard that talks about zones and conduits.
Zones and conduits is part of a defense in depth model that helps lock down a network. Using this model, a user should only allow minimum required traffic into zones and when threats do come through alarms sound. A conduit is a pathway of communications that exits and enters a zone. A zone is a specialized area on the network that needs protection.
“Breaking down a system into zones and conduits, it teaches people what they have on their system,” Williams said. “It gives you a better awareness of what you have. You can identify network assets and protect the conduits.”
Williams said in one instance where one of his clients was using the zones and conduits approach and they kept finding a wireless signal in their environment, but they couldn’t figure out where it was coming from and the end user didn’t even know they had a wireless signal in that zone. As it turned out, there was a printer that had a default Bluetooth signal operating and the user never knew it was live and continuously operating. By doing that evaluation, they were able to understand they had a live signal operating within that zone and they were able to mitigate it.
By using the zones and conduits portion of the IEC 62443 standard, that user was able to apply the standard to help them achieve a level of security.
“We want to have a common language, that is the strength of standards,” Williams said.