Punch List for Cybersecurity

Jim Montague is the Executive Editor at Control, Control Design and Industrial Networking magazines. Jim has spent the last 13 years as an editor and brings a wealth of automation and controls knowledge to the position. For the past eight years, Jim worked at Reed Business Information as News Editor for Control Engineering magazine. Jim has a BA in English from Carleton College in Northfield, Minnesota, and lives in Skokie, Illinois.

Check Out Montague's Google+ profile.

To establish and improve cybersecurity in existing process applications and facilities, there's a series of basic tasks users must perform. Many are recommended by Symantec Security Response.

• Switch on virus-protection software, and install patches and updates regularly.
• Employ complicated passwords that include lower- and upper-case characters and numerals, and alter them every few months.
• Implement firewalls, check them routinely, and determine who's accessing the network and what software they're using. In general, all incoming connections should be denied, and users should only allow services they're certain they want to offer externally.
• Close down all unnecessary ports and components, and only allow devices and applications that users need to do their jobs.
• Make sure that people and programs have only the lowest-level privileges needed to do their work.
• Restrict software and computers used as much as possible. For example, an HMI should only run its required SCADA programs, and only interact with required components. Delete programs that PCs shouldn't be using. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Turn off AutoPlay to stop automatic executable file launching, and disconnect the drives when not required. If write access isn't required, enable read-only mode, if available.
• Disable file sharing when unneeded. If file sharing is required, use ACLs and password protection to limit access. Turn off unnamed access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Disable and remove unnecessary services, such as non-critical auxiliary services, which can be attack vectors.
• When an intrusion of attacks exploits a network service, disable or block access to it until a patch is applied.
• Keep patch levels updated-to-date, particularly on any public-service-hosting PCs that are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

• Set up e-mail servers to block or remove messages with file attachments that are often used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Quarantine compromised computers fast to stop threats from spreading. Conduct a forensic analysis, and restore the PCs with trusted media.
• Train and retrain staff to follow security policies, and not work around them.
• Disable Bluetooth if it's not required for mobile devices. If it's needed, make sure the device's visibility is set on "hidden," so it can't be scanned by other Bluetooth devices. If device pairing must be used, make sure they're all set to "unauthorized," and require authorization for each connection request.