Much of the time and expenditures for system security is focused on external cyber-threats, even though most breaches are internal. Knowing this is the key to assessing, prioritizing and resolving your computer security threats. Another common misconception is that technical solutions are most important. However, nontechnical approaches solve most problems, for example, by developing and enforcing company policies about passwords, system access and system usage.
Attacks are either deliberate or inadvertent.
Deliberate attacks are usually caused by disgruntled employees, former employees or rejected job seekers. A notable attack occurred in Australia when a disgruntled job seeker turned eco-terrorist manipulated the city sewage treatment plant using a laptop PC and a radio to release millions of gallons of untreated sewage.
Employees who feel they might be downsized may decide to plant computer “time bombs” that will destroy manufacturing automation systems. Former employees may access your system with the help of poor security practices, such as failing to immediately block their system access after their employment has terminated.
Inadvertent attacks are caused because preventive policies haven't been established and enforced. For example, employees install their own software or access the Internet on automation systems.
Attack prevention requires just two basic steps:
- Management puts policies in place that describe how employees are expected to comply with processes and procedures.
- Employees follow the policies.
Outside the Walls
You can't ignore potential external computer attacks. One way to prevent them is with a corporate data collection system separate from the manufacturing automation system. This keeps corporate intranet or Internet data traffic from directly accessing the control network.
An external data collection system allows all employees on the corporate IT system to access manufacturing data without the risk of interrupting the manufacturing automation system.
If direct access to the manufacturing automation system is desired instead of indirect access through the separate data collection system, then workers should follow strict system security policies.
The Security Czar
No hardware or software can prevent an attack. Security requires operational procedures, passwords, levels of access, approval processes and security rules.
You can appoint a “security czar” who's given the responsibility for automation system security, the authority and budget to carry out the task, and strict accountability for security enforcement.
Maintaining security on a manufacturing automation system is a full-time job that requires vigilance, and it deserves a corporate commitment to ensure the protection of your intellectual property.
Top Security Defenses
- Allow access to the manufacturing automation system only through a firewall.
- Develop a plan for allowing vendors to access their equipment remotely only under your direct supervision.
- Lock up the hardware. Put all control system equipment, such as servers, routers and disk drives, in locked cabinets in a locked room and limit access.
- Appoint a Security Czar with sufficient authority, power, budget and accountability.
- Develop a control system security policy backed by senior management. Enforce it.
- Develop a disaster recovery plan to get your plants up and running after a security incident.