Most cyber attacks could be avoided by adopting a list of Critical Security Controls that were created by the Center for Internet Security. Thats the message from Steve Mustard at his session at Design and Manufacturing Minneapolis last week. Mustard is a cyber security expert with the Automation Federation . His talk featured the newest version of the Critical Security Controls which was released by the Center for Internet Security in August.
While Mustard noted there is no perfect solution for avoiding attacks, he insisted that using the practices on the list will knock out most intrusions. The thing about security, like safety, is you cant make it 100%, and you have to keep improving it, he said. Yet the majority of cyber attacks -- 70% -- could be prevented by using the controls on the list.
Center for Internet Securitys Critical Security Controls:Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges Maintenance, Monitoring, and Analysis of Audit Logs Email and Web Browser Protections 27 Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Data Recovery Capability Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Data Protection Controlled Access Based on the Need to Know Wireless Access Control Account Monitoring and Control Security Skills Assessment and Appropriate Training to Fill Gaps Application Software Security Incident Response and Management Penetration Tests and Red Team Exercises
Part of creating effective cyber protection is getting a good idea what needs to be protected and where the entry points might be. You have to establish a good monitoring regime. The key thing is you have to understand what equipment you have and how its connected, said Mustard. If you dont understand that, youre going to struggle in protecting your assets.
Employees Can Make a Difference with Security
Cybersecurity isnt just technology and it isnt just the IT department. Everyone within the plant needs to be trained to spot intrusions. One of the things that can really help is the people in the organization. They can tell if one of their machines begins to operate in a funny way, or whether there are more pop-ups than usual, said Mustard. People can start to draw conclusions. When employees are aware and know what they can do to prevent an attack, the more likely you can avoid an attack in the first place.READ MORE ARTICLES ON CYBERSECURITY:
Plant Security: The Moving Threat, the Effective Response
Cyber Criminals Are Lurking on Trusted Sites
Your Cybersecurity May Impact Your Customers Safety
New-Age Hackers Are Ditching Smash-and-Grab Techniques
While employees can help detect intrusions, they can also inadvertently invite intrusions. People are a good first line of defense, but they are also the weak link in the chain, since they might open an attachment that lets the attack into the system, said Mustard. Even the best firewall on the perimeter isnt sufficient if an employee puts an unsecured USB stick into a computer on the system.
One overlooked area of vulnerability is the mobile devices that employees bring to work. Mobile devices can turn out to be a problem. Mobile devices are a permanent way people are doing business now. Bringing your own device to work is common at most companies. Most people prefer to have own devices. If its a personal device, they will probably protect it in their own way, which wont be as secure as youd like, said Mustard. Part of your protection is to make your people aware that their devices may be used as a way into the system.
Rob Spiegel has covered automation and control for 15 years, 12 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine Chile Pepper.