Security, do I really need it?
17 March 2009
These are the responses often heard when security is raised; we haven’t had a security incident, if I get attacked I will do something. But argues Karl Williams, principal security consultant at Invensys Process Systems, has the ‘what if’ scenario really been fully considered?
If production is lost, what would be the business impact? Who would be responsible? How would the incident and recovery be handled? The reality is that production has been impacted by security incidents in varying degrees from degraded performance and availability to complete plant shutdown.
Areas to consider where security is concerned
The challenge of a mixed technology environment. Where new technologies are adopted sometimes alongside much older technology, risks will vary and so mitigation needs to be chosen accordingly.
Connecting production systems to business and other networks. The needs of business and additional applications for analysis, production improvement, support, and so on, makes this more common place and any connectivity brings with it security risks.
Increased level of threat. Today the most likely impact on systems is the rise in exploiting vulnerabilities for financial gain, usually via indiscriminate exploitation of technology platforms. While targeted activity aimed at specific companies or systems is possible there is not the publicly available evidence, at least to date, to suggest this is taking place in the industrial environment; does this mean it is going unnoticed, hidden by system problems?
To date it is the technology itself that has been the recipient of unwanted attention; this is likely to include malicious code such as Bot/Robot (as part of a Botnet), virus, worm or Trojan. This type of malicious code is generally indiscriminate and therefore can impact any system using a particular platform causing an impact on production from availability to performance. While Microsoft Windows gains the most publicity, UNIX systems are not immune and a false sense of security can occur by relying on security through obsolescence or obscurity.
Whether you want security or not the facts are that unless your system is completely isolated, and has no connectivity, either directly via a network, dial up, etc, or indirectly via removable media, e.g. USB, CD, laptops, etc. you should be thinking about security.
Consider the following
People: they are closest to the systems and need adequate training to understand what security means to them and the systems they interact with and also the impact their actions can have.
Asset and security management: this is vital to understand what is in place, its criticality and its status.
Technology: The technology must allow authorised system operation to maintain availability and performance. Firewalls are well known, but there is more to security than just fitting a device, it needs to be managed, including receiving software updates and logs analysis. Other options include antivirus and intrusion detection or prevention.
In conclusion, do you know who and what connects to your systems at all times? If you are already doing something about security is it sufficient and effective, when was your security last reviewed, and are you sure that if system performance is unreliable or poor it is not related to unwanted access, activity or malicious code?
Contact Details and Archive...
Most Viewed Articles...