Best Practices Cyber Security: Are You Managing Your Risks?
Follow these guidelines to help reduce risk:
- Disable software automatic updating services on PCs
- Inventory target computers for applications, and software versions and revisions
- Subscribe to and monitor vendor patch qualification services for patch compatibility
- Obtain product patches and software upgrades directly from the vendor
- Pretest all patches on systems that are non-operational, and not mission-critical prior to application
- Schedule the application of patches and upgrades and plan for contingencies Application security refers to the process of infusing industrial control system (ICS) applications with the concept of security. This includes following best practices such as using a Role- Based Access Control system to leverage the Principle of Least Use or Privilege to lock down access to critical process functions, force username/password logins and combinations. The result is a more stable, more secure system.
Device hardening involves changing the default configuration of an embedded device to a more out-of-the-box one to make it more secure. These embedded devices include programmable automation controllers (PACs), routers, managed switches, firewalls and other embedded devices. Their default security will differ based on the class and type of device, which subsequently changes the amount of work required to harden a particular device.
Defense-in-Depth Strategy for Hardware
When it comes to selecting the right products and services, some asset owners ask their automation supplier if a product is compliant with a particular standard. While security standards are important, most apply to a system, not products.
It is important to focus on the system and apply the defense-in-depth strategy to the products the owner selects. This starts by enabling anti-tamper capabilities often built into products. This includes setting the controller key switch for physical security, using CPU locks to help prevent unauthorized access, leveraging read/write tags and making sure the main controller Function Blocks are not user accessible. In some controllers, the definition of an add-on instruction (AOI) can also be locked down.
It is also important to validate firmware authenticity through firmware digital signatures. Layer 3 access control lists (ACLs) and software solutions such as FactoryTalk Security from Rockwell Automation can be used to control user access.
Absolute Security is Impossible
The reality in the contemporary digital, connected world is that there can be no absolute security. However, this by no means suggests the good guys cannot fight to win. Networks are designed by well-intentioned people with a goal of facilitating communications and protecting what needs to be protected.