Contracted Security

Posted by & filed under Uncategorized.

Should securing your network follow the model of securing your plant?  Most factory security guards that I’ve encountered don’t work for the company that owns the factory; they’re contracted.  Should you contract securing your network?  You probably contract at least some of your automation engineering to a System Integrator.  Is this any different?

This line of thought was sparked by a presentation at Electro-Matic’s Tech Tipoff last week.  Electro-Matic is a long-time distributor member of PI North America.  They invited me there to present a session on PROFINET, of course, but I had time to sit in some of the other presentations.  One of them, by Siemens’ Marty Jansons, introduced a new service that provides security assessments with the follow-on possibility of contracting network security.  The assessment process reminded me that network security is not just about the technology.  It’s also about physical security, security processes, and training the people.  I’m convinced that the most common attack vector is the post-it note – the one the operator stuck on his monitor with his username and password on it.

What is your conclusion?  Would you contract out network security?PROFINET_Security_Guideline

If you have to go the DIY route, don’t panic; help is available.  There are many places to get help, including the brief security session at our PROFINET one-day training classes.  In those classes we present this list of additional resources:

The PROFINET Security Guideline was recently updated and now includes the latest thoughts on protecting your network with technology.

–Carl Henning

One Response to “Contracted Security”

  1. Kyle

    This is a great question to ask – but for me, it doesn’t come down to a simple “yes” or “no.” As you’ve hinted, there are shades of grey in between.

    I think it’s critical to have your network audited by an experienced security professional – and 99% of the time, you need to contract that work out. An outside perspective is the key here; I mean, I’m a pretty qualified shade-tree mechanic, but I’ll still take a car in for a professional inspection before I buy it. I need that outside evaluation to confirm that my decisions are the right ones. The same can be said for audits and evaluations.

    That being said, security is not a one-and-done checkbox on an acceptance test. Security threats constantly evolve, and a network designed to protect you against the common threats five years ago may be vulnerable to the latest and greatest hacks. Security is a mindset that’s impossible to contract out; it’s a constant process of training, evaluation, decision-making and review. I don’t know of anyone that provides the full suite of security services (intrusion prevention, detection, response, and recovery) on a 24/7 basis. Have you found a group in your travels that can handle that scope for an industrial facility or an enterprise network? I would imagine that the liability and bonding requirements would be enormous…

    TL;DR: So while you can contract your network design and evaluation out to third parties, you also have to invest internally to make sure that the security you buy by contract is used as efficiently and effectively as possible.

    – Kyle

    P.S. I would expect that if someone cares enough to infiltrate your physical security, they wouldn’t count on finding that post-it note on the monitor. They’ve come prepared to access your network via other means, and it’s all about intrusion detection and loss mitigation at that point. I think a better example would be an operator using a compromised USB thumb drive. And unlike the post-it note, it’s something that a surprise security audit would have a hard time detecting.

    What do you think?

« Back to PROFIblog