With an increase in the use of digital technology comes increased security threats from ever nimble and more aggressive attackers. Threats are constantly evolving, and therefore they need constant attention. In 2020, ransomware attacks grew by 435% compared to the previous year, according to the Bitdefender 2020 Consumer Threat Landscape Report, with a similar increase projected this year.
To better understand cybersecurity best practices and how companies can protect themselves, Dee Kimata, director of cybersecurity offer management at Schneider Electric, hosted an Innovation Talks discussion that focused on the three main pillars of any effective cybersecurity program: people, process and technology.
Graham Rennie, director of technology and standards at Schneider Electric, began the discussion with the technology element, including best practices for reference architecture and how to secure the industrial automation space. First, Rennie said, it’s important to understand what security architecture is and what it’s trying to achieve. Defined as “the practice of designing computer systems to security goals,” security architecture is a vague term and one that can create confusion, Rennie said.
Part and parcel of the architecture is the security goal the organization is trying to achieve. Examples of security goals can include ensuring that compromise and disruption of the system is difficult, limiting the impact of any compromise, and making sure detection and monitoring are straightforward.
George McElhoe, senior consultant of cybersecurity services at Schneider Electric, said cybersecurity can best be described as “defense in depth” and “zero-trust access,” which means creating layers of security throughout the network and ensuring that individuals and devices have the access they need—and no more.
The classical Purdue Model, for example, identifies five different levels of enterprise systems with the lower levels, those closest to the physical processes, most in need of trust. Any communication that reaches Level 3 (operation and control) or lower, must first go through what is called a demilitarized zone (DMZ). “Each of these levels are separated by a series of firewalls and switches. They each have their own individual infrastructures, including very strict rules that specify what protocols and what users are able to do what in each area,” McElhoe said.
Lockdown and alarm functions can send alerts if unauthorized computers or users plug into to the system. And, since a Trojan or virus might still get through the best defenses, McElhoe recommended continuously copied system backups stored both onsite and off.
John Fowler, senior professional cybersecurity services consultant at Schneider Electric, took over the discussion to talk in more detail about the various types of security measures. In addition to network protection and physical access control for devices such as PLCs, HMI servers and workstations, another level of protection involves endpoint solutions for viruses and malware plus security hardening to reduce the attack footprint. Other best practices include disabling unused services and ports, changing default usernames and passwords, and updating firmware applications and drivers.
“Without security and hardening, it’s like trying to protect your home by adding multiple locks and chains to the doors, but then leaving the windows open,” Fowler said.
Cybersecurity solutions must also consider remote access for engineers, third-party support teams or vendors to provide emergency support. While the pandemic has increased the need for remote capabilities, Fowler said, organizations must also make sure remote connections are secure and remote users are able to perform their roles effectively and efficiently without compromising the security, availability and integrity of the process.
Our editors are reporting live from the virtual events. Keep up-to-date with the latest news from the event here!
Marlene Ladendorff, cybersecurity assessment program manager at Schneider Electric, moved the discussion toward the process pillar of the cybersecurity journey, specifically the policies and procedures needed to support a cybersecurity program. “Technology is great, but it must be bounded within the confines of documentation, such as policies and procedures,” Ladendorff said. A policy is a document describing what organizations need to have done; a procedure describes how to implement the policy. While both are equally important, Ladendorff said, the policy must precede the procedure. The biggest takeaway? “Have documentation in place,” she said.
Lastly, the discussion focused on people. “Without the proper behavior, people can be the weakest link in maintaining your cybersecurity posture,” Kimata said. Nasir Mundh, senior commercial director of cybersecurity services at Schneider Electric, talked about why the best controls, policies and procedures are not enough for security success. “In the end, it depends on the people,” he said. Do they buy into the philosophy? Do they understand the seriousness of the threat? Do they understand the reasoning behind the policies and procedures?
To support employee buy-in, companies need to invest in ongoing cybersecurity training, Mundh added, and training should apply not just to operators and technicians, but everyone, including higher management. “You have to communicate, you have to educate, and you have to appreciate,” Mundh said. “The more robust, the more interactive, the more open those communications are, the more robust that system is going to be.” To match the dynamic nature of cybersecurity threats, training must be a continuous improvement process as well.
Kimata closed out the session with a Q&A period that addressed the best place to start the cybersecurity journey and the most important global cybersecurity standards. “Getting the journey started is something that is a challenge for most companies,” Kimata said. She suggested that the best place to start is with a risk assessment to understand both high and low priority gaps. Start by focusing on the high priority needs as well as “low hanging fruit.” She also recommended doing thorough cybersecurity assessments annually or every 18 months.
From a standards perspective, Kimata recommended starting with ISA/IEC 62443 series of standards, which address cybersecurity from various perspectives at the program level, the component level and the system level. “But if you map the most important standards together, they all have some element of overlap,” she noted.
Schneider Electric can help put all the pieces together: people, process and technology. Still not sure where to start? Contact Schneider Electric to help get you started on the journey at [email protected].