Industrial Security Horror Stories Need a Happy Ending

When you tell a story, or, in this case, write a blog, it’s always good to set the scene. The idea being that the reader understands what you are telling them along the correct context. So, here goes…

Imagine you are at an industrial plant for a heavy industry. You’re there to assess their network infrastructure to check for security flaws. During the assessment, you notice a server with three Ethernet connections. Convinced there should only be two, you ask the company “What is this third one?”

Their response: “It is the connection to the ERP system.” Slightly perplexed, you reply with: “But your ERP system is on the IT network, right? And the IT network has Internet access? So your critical OT system is connected to the internet?” It doesn’t end there…

I hope that you spotted the issue here. Openly accessible networks or poorly configured architectures can leave companies open to a myriad of issues, both accidental and malicious, either of which can create operational, legal and safety nightmares. You only need to look at the impact high-profile malware attacks have on people, companies and even utility providers to see that this is a massive problem.

Connectivity is vital to success. Companies need to be able to access raw production data and turn it into useful information to drive decisions. And to do this they need smart technologies that can help them better understand their operations, enforce workflows, optimise asset utilisation and improve collaboration.

You can do all of this and more in a Connected Enterprise, but first you need a modern, secure and reliable information infrastructure to connect the assets, people and information that make up your business. If your network is poorly designed or unsecure, all these operational gains can come crashing down with even a simple low-tech malware attack or data breach.

Smart industrial devices coupled to robust and secure OT networks often fall outside of the comfort zone of traditional IT managers, so you should consider vendors that can deliver both OT and IT experience. There are plenty with experience in IT, and a fair few with OT knowledge, but experience with both is thin on the ground, so you need to make an incredibly objective decision.

Let’s take you to a different plant now.  The plant manager tells you that the plant is safe: there’s no Wi-Fi, no USB, and the wired network is only internal with no connection to the internet. But what happens when they need to retrieve a patch from the internet? How could they do it with no connection to the outside world? Well the maintenance technician takes out a mobile phone, opens a hotspot and connects a PC to download the file via a 4G network.

The problem is that people make mistakes, and they will often look for ways to make their lives easier.

In the vast majority of scenarios, they make these mistakes without a hint of malice in their actions. But even the simplest shortcuts can have far reaching consequences, and it is the simple things that often go ungoverned. Only a holistic approach to security and network design can help address these issues, along with major educational initiatives to explain the dos and don’ts of network usage.

I wanted this to be a nice blog, one that would make you smile and put a spring in your step, but sometimes serious stories are the best way to share a message. If I have got you thinking about your network design, or the inventiveness of the team down on the shop floor who always seems to find interesting ways to “fix” software, then my work is partly done.

The work following this is certainly not a walk in the park, but with the right team on board you can turn a three to five year network upgrade project into an effort of just 18 months. Trust me, we’ve done just that!