Lack of documentation
In many companies, system and policy changes often happen organically. Changes are made ad-hoc with new components and assets added wherever they will fit. Operational and procedural knowledge is communicated verbally or relies on end-user produced guides, which are not managed. Clear, accurate, and properly documented policies and procedures are a crucial component in maintaining safe, secure, and efficient system operation. Likewise, lack of sufficiently detailed technical documentation not only hinders cybersecurity defence by obscuring potential system vulnerabilities, but also undermines effective business continuity and disaster recovery, both in response to random component failure and in the event of a cyber incident.
Unrealistic service life expectations
The days of installing an industrial control system and letting it run for 10 or even 20 years with minimal maintenance are well and truly over. Technology is advancing rapidly – as are the capabilities of those seeking to abuse it. In order to stay protected against cyber-attacks, companies need to be realistic about the service life of their systems. Periodic software and firmware updates along with shorter asset replacement cycles for non-industrial hardware like computers and servers are an absolute must.
Lax asset management
Too often companies have no knowledge or visibility of the assets they have in place, their purpose and criticality to the process. There may be legacy assets, which are insecure and obsolete on which critical functions depend or which are unneeded yet have not been removed. This leaves security vulnerabilities where patches are not implemented. Even top-end PLCs have firmware in which vulnerabilities are found and require patching.
Insecure remote access
Remote access to industrial control systems may seem convenient but it can bring many risks. If remote access is achieved using a third party vendor, for example, security controls may be bypassed. In some cases, multiple vendors may be used to access the system at different points. Such access may not be controlled by the system owner, neither is it logged or auditable at individual level. System owners should not be lulled into a sense of ‘security through obscurity’, thinking that nobody could possibly find a way to connect to it. Hackers will always find a way if they can and commonly available tools are making this increasingly easy.
Use of ‘black box’ technologies
Inclusion of technology not well understood by the system owner is similarly problematic. Companies should never accept vendor or integrator claims on face value. Clear description of the asset, its function, and method of operation should be sought. Firewalls, for example, are a common component in cyber defences, but they are only effective when carefully configured for the requirements of the specific process. System owners should ensure they understand and have documented details of every asset, especially those owned or managed by a third party.
No asset monitoring
Every asset in a control system is a useful source of security and health information. Collecting this data centrally and monitoring it continually improves both the security and reliability of the process – and assists proactive maintenance. There’s no such thing as a ‘fit and forget’ security device. Anti-virus software, firewalls and system logs that are left unmonitored are only marginally better than no protection at all. Furthermore, logs from conventional assets like PLCs, network switches, and operator terminals give key visibility into the security and status of the system as a whole.
VINCI Energies brand Cougar Automation can help companies mitigate the risk of a cyber-attack wherever they are in their cybersecurity journey – from audit, risk assessment and developing good governance, to the design and commissioning of cyber-security defences.
Get in touch to find out how we can help keep your operations running smoothly, safely and securely.
*Since May 2018 essential services must implement at least a basic level of cybersecurity protection under the Security of Network & Information Systems (NIS) regulations (2018) in UK law.