At a conference I attended recently for the water industry, a fellow attendee asked a panel how to implement some basic cyber security at his water plant with essentially no budget. I loved the honesty of the question, and I posed it to a couple of our in-house industrial cyber security experts when I got back to the office. Here are eight no-cost recommendations they provided for shoring up your industrial network security.
- Start with the obvious. There are some obvious things you probably already know about cyber security but don’t regularly follow. Don’t write down passwords. Don’t reuse passwords for anything. Don’t share passwords with other users. Don’t click on suspicious e-mails. Don’t install non-work-related software. The list is longer, but you probably can fill it in.
- Audit your accounts and logins. Check every SCADA client, engineering computer, lab computer, etc. in your plant to make sure accounts are only created for legitimate users and that each account is using a strong and unique password. Do the same for your SCADA and engineering software logins.
- Enforce individual access to computers and software. Do not allow sharing of accounts and passwords. This means no more “Operator” or “Engineer” accounts. Logins to computers and SCADA software should be named and unique to every user. Don’t allow auto-logins.
- Limit admin permissions on computers. Most users don’t need admin permissions anyway. This is a simple way to control what software gets installed on your plant computers and to make things more difficult for a hacker if they do get into your network.
- Know what is connected. Inventory your equipment and make a diagram of everything that connects to your network. Understand how and why it is connected. Pay close attention to any connections to the outside world (internet connections, cell modems, alarm dialers, office network connections, etc.). These are places you want to control access with a firewall, passwords, or simply by pulling the plug until needed.
- Write policies and enforce them. Like all crime-prevention, security tends to be inconvenient (think TSA). Making a policy will help ensure that the safe thing gets done even when the unsafe thing is easier. Start with basic policies like password rules, rules for who can connect outside computers or USB drives to your network, and updating operating systems and software.
- Update everything! This one might actually cost a little bit of money, but it is absolutely essential. Vulnerabilities for operating systems, SCADA software, and even PLC hardware like network cards are found regularly. The only way to close the door to hackers is to keep everything updated as manufacturers fix the holes.
- Treat cyber-security like safety in your plant. You probably have safety tailgate talks or start meetings with safety topics. Do the same thing with cyber-security. Most cyber-security attacks happen because someone left the cyber-door open. Begin creating a culture where most people do the right thing to protect your network.
Following these suggestions and best practices will make your network a much harder target for hackers. For more in-depth information on a structured approach to managing your critical control networks, click on the link below read our white paper or talk to our Industrial Networking and Cyber Security team about a thorough network assessment.