Security Summit in London highlights the importance for IT and Automation collaboration to mitigate cyber risks to critical infrastructure
8 November 2011
Rockwell Automation and Cisco Systems use strategic alliance to show how vigilance and unity across IT and Engineering can help protect critical infrastructure, such as that owned by Severn Trent Water, from potential security threats
A summit held yesterday in London focused on critical differences in the perception of security threats to systems compared to industrial automation systems. Rockwell Automation drew attention to the specific issue which it regularly sees through its global operations with critical infrastructure companies and offered simple steps to improved security practice. Through its strategic alliance with Cisco Systems, Rockwell Automation offered insight to potential control system security risks and provided some simple, yet effective steps that can mitigate such threats.
Doug R. Wylie, Manager, Networks & Security, Rockwell Automation said: ‘While many companies and organisations already appreciate the importance of IT security, at times the security of the automation system and critical assets are not as highly prioritised. Security threats to critical infrastructure are real and risks can be reduced through vigilance, successful teaming of IT and Engineering, and careful attention to detail.’
Paul King, Senior Security Advisor, Cisco Systems added: ‘The security of critical infrastructure has been of concern for years. A growing number of publicised security breaches coupled with the discovery of the Stuxnet malware last year serve as stark indicators to asset owners that network security is both critical and requires constant attention.’
Along with Wylie and King, the Centre for the Protection of National Infrastructure (CPNI) and UK delegates from across the critical infrastructure framework such as Severn Trent Water were welcomed by representatives from the US Embassy and The United States Department of Homeland Security. Andy Henton, Asset Strategy Manager - Waste Water, Severn Trent Water, provided an insight into the security challenges facing modern Water Suppliers and how they are being addressed. Henton outlined how the company strives to mitigate security risk by employing a comprehensive security program that includes company policy, defined procedures, and both physical and cyber security controls such as layered security and defense-in-depth countermeasures. In addition, Severn Trent Water works closely with automation vendors and the broader security community to recognise and mitigate risks and threats.
The importance of addressing industrial security to help maintain the safety, availability and operational integrity of critical systems and infrastructure was also discussed, with attendees at the event benefiting from industry-specific knowledge and examples focusing on the following areas:
• Power Generation
• Renewable Energy
• Oil & Gas
• Banking (critical IT infrastructure)
Rockwell Automation went on to highlight five critical, yet easily implemented steps that can help improve the security of industrial control systems and also help unify IT and Engineering to collaborate against common threats:
1. Limit physical and network access to mission critical systems to only trained and vetted personnel or accredited partners, vendors and systems integrators.
2. Incorporate firewalls and intrusion detection and protection systems into network infrastructures to control information flow between the automation system and the higher-level enterprise systems or the Internet. Follow network design guidelines such as the Converged Plantwide Ethernet Architecture Design and Installation Guide developed jointly by Rockwell Automation and CISCO and available at http://www.ab.com/networks/architectures.html.
3. Adopt a patch management program that includes policies and procedures to keep critical automation equipment and software updated. Obtain patches from trusted sources and pre-test all patches before applying to mission critical systems.
4. Set new passwords, and periodically change existing passwords to help control user access to critical systems and specific assets. Avoid using universal, default or simplistic passwords that may give a wrongdoer easy access to alter critical programs and configurations or even potentially deny access to authorized users should a password be changed.
5. Where possible, turn the keys or set physical mode switches on all Rockwell Automation controllers to ‘RUN’ mode. When RUN mode is selected, physical access to the controller is required in order to make changes to its programs or configuration. The key switch has the added benefit of also preventing the controller’s firmware from being corrupted or changed to a version that may contain known vulnerability intended for exploit.
For more information about the threat and potential vulnerability of industrial automated systems as well as guidance for methods to defend systems from potential security threats, visit http://www.rockwellautomation.com/security