By Fred Gordy
The biggest thing holding most facility managers back from securing their systems is fear of the unknown. How much will this cost? How hard will the change be? How inconvenient will it be? What else will it add to the daily to-do list?
The good news is that there is a lot of low hanging fruit — actions that will incur minimal cost. The first thing a facility manager can do is find out if the system has a public IP. If so remove it and get it behind a firewall. If remote access is needed, there are several low-cost remote access solutions. Just by doing that, the control system is now hidden from search engines like Shodan and Censys, making the system much harder to find.
As mentioned earlier, ransomware attacks are up — and relatively speaking, up significantly — on control systems. Ransomware has several delivery methods, but the most common is through email or social media. By restricting direct access to front-end, the facility manager will significantly reduce the probability of a ransomware attack. The front-end needs to be moved off the engineer’s desk, even if the engineer’s office is locked most of the time, and placed into a locked closet with the keyboard, mouse, and monitor removed.
It is essential to make sure every user, including your vendor, has a unique user name and to make sure no one shares user credentials with others. This also means establishing access policies for both employees and vendors. The policy would require at a minimum the following:
• Least privileges: Users of the system should have only the rights they need to perform their duties.
• Admin privileges: The rule of thumb is that approximately 10 percent of users should have admin privileges but no greater than 4 and no less than 2. For example, 10 users translates to two admins. With 30 users, there would be three admins. For 100 users, there would be only 4 admins.
• Vendor users should be disabled and only enabled during the time the vendor is performing work requested by your company.
• Employee access cessation: If an employee is no longer employed or no longer has need to access the system, they must be removed from the system on the last day of employment or last day they need access.
• Vendor access cessation: The vendor should be required to inform the facility manager within 24 hours if an employee is no longer employed by the vendor or no longer requires access to the system.
• Automated password expiration (if system can do that): Establish an acceptable number of days for the team and enable password expiration. It is recommended that the maximum number of days not exceed 90.
• Manual password expiration: Assign an admin to monitor users’ password aging and notify them when their passwords need to be changed.
• Assess: Determine specific risk by equipment type and function. Document the primary risk and recovery plan when an event occurs.
• Inventory: Make sure all the devices that are connected are supposed to be connected and are connected appropriately. Remember the printer example? Once that happened the company thought the wireless access had been disconnected from the printer. An audit showed that it was still connected. Inventory is not a “one-and-done.” Establish a periodic inventory review and change management process.
There are many more things that can be done at low or medium cost to secure a facility. The list above will get you pointed in the right directions. The National Institute of Standards and Technology has established an elegant and simple principal in their cybersecurity framework that gives a high-level approach to securing systems:
• Identify: Learn to manage cyber security risks.
• Protect: Limit or contain the impact of cyber security events.
• Detect: Identify when a cyber security event occurs.
• Respond: Take action when a cyber security event is detected.
• Recover: Maintain plans for resilience and restore capabilities or services impaired due to a cyber security event.
You can learn more at NIST.
The bottom line is that the days when control systems were not on any hacker’s radar are gone. Control systems are seen as easy targets. As a result, IT departments are beginning to be more involved in helping secure control systems, and that’s great, but it’s not enough. When a control system is being assessed, and a report/remediation plan is being created, three risks must be factored in. The obvious is the cyber risk.
A second risk is the financial/business risk. This one has components that are somewhat easy to quantify, but it is always tough to assign a dollar value to brand damage.
The risk that is typically not thought of is the operational risk if IT implements its own cyber security measures on the control system. Operational risks are anything that could impede or disrupt system performance. Some IT threat-monitoring or corrective technologies can literally cause control systems to fail or lockup or at the very least disrupt communication, which in turn could prevent sequences of operations from functioning. The remediation report must include what IT can and cannot do.
Facility managers have many responsibilities, and few want to add cyber security to the list. They already have their hands full with running the facility. But we are in a new era where everything is connected, which means it’s time to stretch skillsets. Done correctly cyber security will not add an unmanageable amount of work to the load, and the facility will be safer.