Rockwell Automation's Tim Mirth
When it comes to managing operational technology (OT) security, engineers and plant managers in process-manufacturing plants understand there are dangers that can stem from a compromised system. Beyond risks to secure information, a breached system can jeopardize the quality of an end product and even the safety of the people operating the plant.
There’s no doubt that securing these systems can feel like a significant investment of personnel and financial resources. But in lieu of massive infrastructure upgrades and distributed control system (DCS) modernization efforts, there are simple best practices you and your teams can implement—right now—to improve the security posture of your process systems.
Here are seven critical steps to take in the short term to protect the long-term security of your plant operations.
1. Compile an updated asset inventory
It’s no surprise that systems will change over time. As systems are saddled with new hardware or software and become less homogenous, having a clear understanding of your assets is essential—and while creating a comprehensive inventory list can seem daunting, it’s impossible to protect parts of a system if you are unaware of what’s there.
An inventory of physical and logistical assets will help your team understand the status of your products and systems and whether they are approaching end of life or need to be updated.
2. Document software and firmware versions to identify vulnerabilities
An inventory list should include more than just pieces and parts—it needs to cover what software versions are supported across the entire process system. Keep an up-to-date list of your plant’s software and firmware versions to help you understand the status of your system.
Once you have the current software and firmware versions, you can identify whether or not there are known vulnerabilities that could be exploited and develop a plan to patch or update them. Related to this, it’s essential to have updated software or firmware, as there are often specific security patches built into those updates. Trusted vendors—including Microsoft, Cisco and Rockwell Automation—can offer support to help address system vulnerabilities and verify procedures.
3. Know who your users are—and stay on top of who has access
It may seem self-explanatory, but a crucial part of protecting your system is knowing which people use it. With employee turnover and new hires being an unavoidable part of any industry, it’s important to document who your system users are and what permission levels they have. Oftentimes, this review can also help identify stakeholders who may not need full system access—a step that limits the risk of harmful stakeholders accessing sensitive system information.
4. Build physical perimeters to protect systems
We’ve all seen shows and movies where the “bad guys” put on the hard hat and badge to blend in and steal valuable assets or information, but this fictionalized scenario can easily become reality without the right protections in place. All the software protections in the world cannot protect your control system if someone can walk right up to it.
Review the physical access controls and policies that protect your system architectures. Installing door locks, physical barriers or port locks can be a highly effective, low complexity means of reducing security risk across a plant. Shutting down unused ports is another effective strategy to reduce potential entry points to access and breach a system.
5. Review network data flow
Once you have a comprehensive understanding of what equipment and systems you have, you’ll be able to determine what needs to communicate and what doesn’t.
Implementing logical and physical network segmentations can shrink the potential surface area of infiltration, which could protect disparate zones from infecting one another. A flat network also clogs performance, so network segmentation can help improve overall productivity when possible.
6. Have quality backups in a secure location
Layers of protection between the outside world and your process-control system is essential, but no amount of protection can ever fully eliminate risk. In the event of a system failure or an unforeseen breach, quality backups can be critical to get up and running again.
It is important to test current backups regularly so that you know they will be good when you need it. Process systems constantly change and evolve, so it’s important to establish a regular backup process—and to document how authorized personnel can restore from backup files if the need ever arises.
7. Create an OT security program
Unfortunately, security cannot be guaranteed by simply buying technology; it takes a fully developed and continually refined process to protect systems. Threats are constantly changing and evolving, and the right security program needs to be flexible and proactive to protect against the latest threats. Training your team and contractors regularly on the best practices to identify risk is vital.
Without the right people and security processes in place, plant operations are vulnerable to system breaches and unforeseen threats. Finding the right partners and vendors helps refine security protocols and is an essential step of maintaining a system’s security posture. Ensure your partners and their products are following security lifecycle best practices as found in ISA/IEC 62443-4-1 and other established security standards.
Tim Mirth is Rockwell Automation’s PlantPAx platform leader
