With the number of attacks on industrial applications rising and the critical need for plant system availability, take simple steps now to minimize risk. You can decrease unplanned downtime while helping to protect your organization. Here’s how …
Check the Expiration Date
Software doesn’t usually come with an expiration date. But, the expiration date on your operating system might have already passed. If you’re using Windows XP that “expiration date” was April 8, 2014 – the date that Microsoft stopped supporting XP. Don’t use software that is no longer supported by the manufacturer; you could be running with serious risk every day.
In addition to your OS, make sure your other software packages are still supported. Were any of the vendors acquired? Do the new companies still support those software packages? Our business environment today is constantly changing – make sure your software is keeping up.
Schedule HMI/SCADA risk assessments and reviews
Minimizing risk isn’t a one-time or once-a-year activity. With serious threats on the rise, you need to incorporate risk assessments and reviews into your schedule.
The frequency of your risk assessments depends on your particular business, industry and plant applications. Start with a conservative, high-frequency schedule – and you can always increase the time between assessments, as needed. Assign a champion to minimize risk in your plant operations to drive leadership and consistency to the program.
10 sample questions for each review
Are you using obsolete software (Windows XP or other)?
Are you running your application with non-default / non-administrator accounts with low privileges? Have you removed ADMIN and GUEST default accounts, using a separate administrator account?
Where are the points of entry/failure?
Are you properly isolating (DMZ) servers from untrusted network access?
Is your system missing any security patches? Are you using the most up-to-date version of your software?
Are you managing Bring Your Own Device (BYOD) securely?
Do you have spare parts, and when were they last tested?
Have you put additional controls in place to protect the HMI/SCADA security files from change?
Have you changed the default password for Trusted Network Computing?
Do you have an up-to-date backup plan in place?
Upgrade, the Right Way
If you do have outdated software in your plant operations, make a plan now to upgrade the right way. Rethink your HMI/SCADA strategy – securely. Some HMI/SCADA users haven’t updated their systems in 10 years or more. Don’t just upgrade. Review your system with experts and use an upgrade as an opportunity to assess and modernize.
4 steps to include in your upgrade plan
Check and limit users’ rights
Update / install the latest anti-virus software
Create a controlled zone around your machines – place them behind a firewall
Make sure you have installed all of the latest service packs
Consider technologies that will make the life of your plant and IT personnel easier. For example:
Can existing XP machines be converted into thin clients or virtualized?
Can critical applications be migrated to a server-based machine?
How many applications are you running that could be consolidated?
What applications can you leverage to turn your installation into a web-enabled one?
What applications are available now that can extend the functionality of your HMI/SCADA? Have you considered new levels of efficiency by adding simple analytics, task management or alarm response management?
How are you storing and analyzing your data to improve operations? Have your needs grown beyond a relational database and it’s time to consider a historian?
Put rigor around security
The priority for plant systems has historically been availability. Plant operations simply must keep running in order to achieve organizational success. However, plant operations teams need to include cybersecurity as a high priority and implement best practices to minimize vulnerabilities.
Security is the process of maintaining the confidentiality, integrity and availability of a system.
Confidentiality: Ensure only the people you want to see information can see it.
Integrity: Ensure the data is what it is supposed to be.
Availability: Ensure the system or data is available for use.
Leverage standards and best practices
A wealth of current information exists about how to reduce risk in HMI/SCADA systems.
Software vendors have the best information regarding your particular applications. Reach out to them for their advice and best practices. Read your software manuals and follow the instructions, especially concerning networks/connectivity and user accounts/privileges. For example, if a manual recommends that you disable or remove a certain account after installing a driver, then don’t forget to do it.
Also, tap into the many industry associations. Learn about new standards and implement the parts that fit your situation. Not every standard – or even all sections of a standard – will work for you, but you can use the standards as a framework and add to them.
Check into ISA, MESA and other plant systems organizations for more information and learning opportunities during the year. Government agencies, such as the U.S. Department of Homeland Security, National Institute of Standards and Technology (NIST), and U.S. Department of Energy, have valuable information – which applies to almost every SCADA user. Additionally, some industries, such as water and power, have entities such as the North American Electric Reliability Corp. (NERC), which provide information on HMI/SCADA risk reduction and security.
Be smart with Secure-by-Design innovation
The good news is that HMI/SCADA software designs can inherently minimize some vulnerability to risk. Fundamental engineering principles mandate safe and reliable systems. Additionally, new secure-by-design innovation takes traditional practices to a higher level.
Minimizing risk should be a top priority for every HMI/SCADA user. Take advantage of standards, best practices and information sharing. Tap into software vendors, who work with industry working groups and standards bodies, government agencies, and the security research community to continually improve industrial automation and control systems and global infrastructures.
Plan a risk assessment program for your organization – and stick with it. Simple steps, such as upgrading unsupported software and limiting user rights, can make a big difference. There are many ways to reduce risk, but it is important to take the steps now – before unplanned downtime and disaster occur.
Bernard Cubizolles, Global Marketing Manager, and Alicia Bowers, Product Marketing Manager, Automation Software Business, are both with GE Intelligent Platforms.
Source: GE Intelligent Platforms