The industrial internet has allowed the integration of machinery with networked sensors and software. But as the number of connections has grown, the risk of a cyberattack has increased exponentially. What can you do to protect your facility?
Two experts from GE Digital — CIO Clay Johnson and Chief Security Officer Russ Dietz — provide some insights based on their experience managing and monitoring more than 1,500 connected assets and 28,000 power generation assets through the internet.
GE assessed a number of facilities and found:
- All had at least one system with a vulnerable operating system
- User access practices didn't align to industry best practices
- Half had at least one system circumventing the firewall
- None had effective cybersecurity monitoring
- The longest duration since an administration password was changed was 12 years
As your facility becomes more connected you need to become more secure. Johnson and Dietz outline five steps to minimize your risk.
1. Assess vulnerabilities. Know how systems are deployed and what your highest risks are. Your assessment should include:
- Patching procedures
- End point protections
- Antivirus software
- Backup and recovery procedures
- Physical security; who has access
- Fundamental security training
2. Determine immediate actions for remediation. Once you have completed your assessment, implement actions to address any problems. Actions may include:
- Automating backups
- Recovery and patch management
- Isolating and monitoring vulnerable techniques
- Network assessment
- Automated password management
- Restricting system access to authorized users
- Segregating the firewall
- Deep packet inspection (searches for viruses, spam, intrusions)
- Updating the list of authorized applications and networks
- Preventing execution of undesirable programs containing security threats
3. Align IT and operational technology (OT) approaches. Both departments have different priorities regarding security: IT focuses on confidentiality whereas OT is about availability. IT's strategy is to protect data while OT is looking to protect processes. However, both departments should be on the same page regarding security and therefore a security strategy should include input from the CIO, operations executive, facilities manager and the chief security officer.
4. Evaluate and implement technology solutions, which should be directed, preventative and organized. These include:
- Penetration testing (an authorized simulated attack that looks for security weaknesses)
- Security information and event management software (real-time analysis of security alerts generated by applications and network hardware)
- Certificate authority, compliance management and enforcement
- Network anomaly detection and malware identification
- Configuration management and incident response
You may also want to establish a security operations center depending on the size of your facility or if you have multiple locations.
5. Align security system with the most current best practices. Start with the ISO/IEC 27000 series, a family of more than a dozen standards outlining requirements for an information security management system (ISMS), which helps organizations keep information assets secure. ISO/IEC 27000A applies a risk management process to people, processes and IT systems.
Following these steps and mapping out risks are critical to developing a successful security strategy. You should also evaluate hardware vendors for best practices and confirm their cyber quality.