By Gregory Hale
Safety is a mindset indelibly stamped in the brain of every worker in the manufacturing environment – and rightly so. But security also needs that same kind of brand.
“We need to have a security culture. We have a safety culture,” said Eric Cornelius, deputy director for the Department of Homeland Security’s Control Systems Security Program during Monday’s talk at the 2012 Americas Triconex Technical Conference in Galveston, TX.
Without a security culture at any organization, there is no way to have a consistent way to ward off attackers – and there are plenty of them out there.
“Attacks do happen and they will happen,” Cornelius said. “You should aim for detection. You can’t stop them from getting in. If you want to stop people from getting in, then just stop making money.”
There are all types of attackers to watch out for, with some having different levels of sophistication.
“We see the 15 year-old and the Anonymous hacktivists and organized crime and they are all a problem,” he said. “The bad guys you should be afraid of are dedicated highly motivated people from other countries in most cases that are able to develop an attack. They can come in low and slow.”
While a lack of understanding of security can lead to fear, uncertainty and doubt or the FUD mentality, Cornelius said there is a positive for end users.
Most of the security you need is right out there on your network. “You just need somebody that can use it,” he said. “When I spend money, it is on people because the problem usually lies between the keyboard and the chair.”
People with a good solid understanding of security best practices and knowing when and where to apply technology is vital. Companies just shouldn’t go and buy security technology and throw it up on to the system, they need a solid plan of attack and they need to know their system.
“Industrial control systems are very static,” Cornelius said. “Your nodes shouldn’t be communicating to China or Russia. Anomalies are very easy to detect.”