When someone asks what can be done to improve their cybersecurity situation, the explanation often depends on where they are today. Minimizing cybersecurity risk is an ongoing process, but do not let that intimidate you. Even if your organization is just beginning its journey, and even if you do not have a big budget, there are a number of things that you can do now to improve your cybersecurity posture. Here are my top 6 list, in no particular order.
Physically Disconnect any unmanaged vendor access points: It is common that vendors install – or ask you to install – remote access points for startup and troubleshooting of their systems. These are devices that connect to the supplier over the Internet. If they are managed, the security risk may be made acceptable. If left unmanaged, they are an even greater concern. Even if you do not connect your network to the Internet, the vendor’s device may be doing this on its own through a 3G/4G cellular link. In either case, these access points increase the potential attack surface and should be physically disconnected when not in use.
Develop an Asset list: At a minimum, this should have the names, device type, and network addresses of all cyber devices in the system. To start, this list would include every PLC, HMI, and computer that has a unique IP address. A more thorough list would include devices using non-IP or non-Ethernet based communication protocols. As your posture improves, it should also include part number information, firmware version, installed software, and eventually obsolescence risk values.
Create Backups: Make sure that each program, such as a PLC, HMI, or VFD application, has a backup in a storage location that is physically and logically separated from the hardware in question. Where appropriate set up automatic tools to copy data, applications, and drives.
Check for known vulnerabilities of your systems: The National Vulnerability Database and ICS-CERT are good sources of information on cybersecurity vulnerabilities. Major vendors periodically release patches for system vulnerabilities. See which ones are appropriate for installation based on the devices you currently have in your plant. Contact the vendor or ACE if assistance is needed with this determination or performing the updates.
Implement/Improve Change management procedures: At a minimum, you should let any project teams know if an emergency change was made and also make a backup before and after the change was made. Ideally change management procedures have an administrative mechanism to coordinate between multiple projects that may need to change the same application. Furthermore, a good change management process helps make sure supporting aspects such as cybersecurity are considered during every project. Examples of cybersecurity considerations include whether there is an impact to the cybersecurity of existing systems, whether suppliers and/or contractor require site-specific cyber training, and whether improvement to the site’s cyber posture can be done during this project.
Identify a System Owner: This is the person responsible for approving changes and will be knowledgeable about abnormal system operation. This person should be tied to the day-to-day operations so that any abnormality is easily noticed. This person plays a key role in any cybersecurity implementation and maintenance.
If you have already tackled these things, you have set the groundwork to begin other initiatives. These include, among other things, password management, role-based security, network segmentation, and intrusion detection. Most of these activities are best performed after a cybersecurity assessment so that changes address the largest risks and meet the cybersecurity goals of your organization.
A final recommendation is to secure a relationship with a qualified system integrator. This formal relationship typically takes the form of a support agreement. This agreement would include three components: site familiarization training, maintenance visits, and funding for emergency support. By having a support team that is familiar with your site, you have “another set of eyes” for discussions on cybersecurity and other engineering topics. You also have a team that can ramp up quickly to offer the required engineering effort needed to recover from a cybersecurity incident.
Learn more about assessing your organization’s cyber posture by downloading our white paper, Cybersecurity Success Starts with Understanding Your Organization’s Cyber Posture.