By Gregory Hale
Fear, uncertainty and doubt were the thought processes that prevailed for a period of time in the security environment.
Scare enough people about some incident that happened once a while ago and surely manufacturers will understand they need security. By now, manufacturers should be aware those days of FUD and long gone and the real task at hand is making sure your system is safe and secure against the bad guys trying to get in and steal what you value the most.
“There are growing threats; you can’t hide from the threats,” said Paul Forney, consulting architect for common architecture and technologies at Invensys Operations Management during his Thursday talk entitled “Cyber Security in the New World” during the Invensys Software Conference and Tech Support Symposium in Dallas, TX. “It’s a changing world. There are bad guys out there, but it is not just that anymore, there are botnets with hundreds of thousands of computers working to break into your systems. Stealth attacks are increasing. All countries are doing it and they have been doing it for years.”
“Attackers are getting more sophisticated. They are getting onto your system and waiting for three months or so and then ET calls home and gets instructions,” Forney said.
The funny part is while the sophistication level of attacks is getting higher, they are not really that hard to pull off.
“There are kits out there and the technology takes care of the hard part,” he said.
The numbers back him up with a 600 percent increase in reported industrial control system attacks since 2010, according to NSS Labs.
If those increases in attacks were not enough, there are other reasons manufacturers need security:
• Reducing environmental and financial risk
• Regulatory compliance
• Increasing plant safety
• Connecting the plant to the enterprise
• Reduced downtime
One of the problems users have had with implementing security is it can appear overwhelming to try and tackle all of it at once. But it doesn’t have to be that way.
“We can’t do it all in one fell swoop,” Forney said. “It has to be planned, structured and logical.”
While standards are important to follow, Forney mentioned some best practices that could take the user into a secure environment:
• Use proactive protection
• Whitelist applications
• Classify data
• Follow a standard
• Red team often
• Manage vulnerabilities
When it comes to whitelisting, which is a list of approved applications a system can run, Forney said it is a good solution, but only a part of a solid defense in depth program.
When you look at classifying data, Forney said figure out what it is you have to shield. If your company has a top selling product, make sure you save the recipe so an attacker can’t come in and steal it.
“If it is not worth protecting, then don’t worry about it, but if it is worth protecting then protect it,” he said.
Fear, uncertainty and doubt should not be the approach to security. A smart structured thoughtful movement toward a secure environment is the way to go rather than being purely reactionary.
“You can change things if you are proactive,” Forney said. “Don’t let people get to your computer. If I can get to your computer, you are toast.”
The future, Forney said, is going to be more of the same. Not gloom and doom where users don’t stand a chance, but a positive environment where people can prosper within the confines of their security program running in the background.
“It all starts with changing your culture,” he said. “There is no silver bullet, we must all work together. Security is a collaboration between people.”