By Gregory Hale
Leigh Weber knows there is great potential for injury or death as a result of a cyber incident through an industrial control system.
That is why securing an industrial control system is so important, Weber said during his presentation Tuesday at the Yokogawa 2012 Users Group in New Orleans.
“While the statistics come from a small sampling, we found 5 percent of incidents resulted in injury or death,” said Weber, senior security engineer at safety and security company, exida.
“There are a lot of people out there that have come up with means and methods to mess up your control system.”
Some of the threats out there are:
• Software bugs
• Malicious software
• Unauthorized physical access
• Unauthorized network access
“Control system security is about preventing intentional and unintentional tampering of systems,” he said.
Over the years, Weber has seen quite a bit and the level of sophistication just continues to keep rising.
“I have been creating software for 40 years and the kinds of attacks people are thinking of now are things we wouldn’t even think of even five years ago,” Weber said.
That means no matter what, control systems remain vulnerable. Not because of the new products that are coming out now, but because legacy systems were up and running long before the idea of cyber attacks was ever a thought in an attacker’s mind.
Weber said to secure an industrial system a user should:
1. Asses existing systems
2. Document policies and procedures
3. Train personnel and contractors
4. Segment the control system network
5. Control access to the system
6. Harden components
7. Monitor and maintain system security
One other way to ensure a system is secure, he said, is to insist vendors comply with a form of security certification, like the ISASecure model.
“If you don’t have a procurement policy that includes security, you won’t get it,” Weber said.
Weber said making sure companies comply and undergo the ISASecure process, will help ensure any system becomes much tougher.
“Security is a lot like political science, where if you have the word science in something, it is not science,” Weber said. “Security is more like art.”