Take a fresh look at your system security

Alittle known organisation called the CPNI (Centre for Protection of National Infrastructure), along with other government agencies, spends a great deal of time and effort offering practical advice to some of the businesses supporting the UK's major infrastructure requirements. Road, rail and transport industries, power generators, energy providers and water utilities are all potentially high risk in terms of threat. Any type of incident, attack or failure occurring within them would have potentially devastating consequences. However, it isn't just this type of business that needs ongoing risk assessment and protection of SCADA networks. The same methodical preparation, thinking and implementation should also be front of mind for any manufacturing or process-driven business that could be at risk of attack or production failure. Company systems can be open to any number of threats and, once attacked, it is often too late to retrieve a situation. Think, for example, of a food manufacturer whose quality control procedures are compromised, or an industrial process targeted by environmental, political or animal rights protestors. Conversely, internal threats may appear, either accidental or intentional access violations, or virus introduction. It is my view that many businesses are at best complacent, and at worst potentially negligible, when it comes to protecting themselves and safeguarding their industrial networks' health, particularly when focusing upon automation networks. So, why the increasing potential for system failure? Over the past 10 years we have seen a move from central control structures to a common reliance upon open technology and IT standards – in particular, ethernet-based solutions being commonly used at all automation levels offering greater connectivity. We now see integrated networked systems and connection to an IT infrastructure, as well as the advent of IT departments attaining joint responsibility with the production departments for automation networks. This is a fatal flaw. Automation networks differ greatly from office-based, IT-led networks. The standards applied to an IT-driven solution for network security cannot be the same as those applied to the process control world. This is a crucial and central realisation that all companies should accept. How can a business protect itself? The answer lies in addressing four main business risk steps. Company managers should: understand the system they currently have; clarify the threats faced; be clear about the impact of any threat; and understand their vulnerabilities. How many firms, for example, allow contractors on site perhaps with their own PC which is then linked into the company network? Who is monitoring this? What is the contractor doing with the access he is afforded to the system? It's about changing mindsets from one of complacency to one based on proactivity. A simple audit is a good start. Set up a risk analysis team and proceed with a full system inventory. Ask pertinent questions about the system, including: how many locations, sites, systems and assets exist; what is the business and operational critical nature of each site and system; who is accountable for each site; and is all the documentation up-to-date. Follow these ten steps for peace of mind: ? Establish "security governance" by planning and performing awareness training across the company ? Establish policies, procedures and processes for the secure operations of SCADA systems ? Ensure that security management and monitoring is built into standard operating manuals ? Integrate security operations both at head office, as well as on site ? Audit and list all possible points of entry e.g. the internet, external dial-up into the SCADA system and assess the threat and controls in place ? If management or maintenance of SCADA systems are outsourced ensure strict controls are in place for third parties ? Follow best practice for any acquisition and implementation of hardware or software ? Create disaster and business continuity plans and test them! ? Develop a security compliance checklist on site and add this compliance to the site manager compensation and evaluation process ? Seek external help from industry associations and share best practice. To hear more on this topic and other key industry issues, book your free place at the Answers for Industry conference on 4th and 5th July at Manchester Central Convention Complex, by visiting www.siemens.co.uk/afi