“Plausible deniability is not a security strategy.”
This blog post is for users who have not taken any steps towards securing their networks. At some random time in the near future a hacker will shut down your machine, your line, your plant. How will you try to invoke deniability?
Production is air-gapped. There is no connection to the Internet.
We’re such a small target; why would anyone hack us?
There was never a budget for that.
That was not my responsibility!
I could never justify the expense on the corporate forms – how could I compute an ROI?
The air gap is a myth. How do you know it’s air-gapped? Did someone examine the network for unexpected connections? At our 2015 General Assembly Meeting the security speaker answered the question “If you do just one thing for security, what would it be?” The answer: know your network. He outlined the tools to do that with.
Even if you’re not targeted you could be shut down by a “generic” virus, trojan, or rootkit. What steps are you taking to prevent these? Work with your automation supplier to ensure your prevention tools are compatible with their software.
Justifying a security project is tough… until after you’re attacked. You do have a plan on how to react to an attack, right? In applying functional safety you evaluate the risk and mitigate it. You have to do the same for security. I wish I could help, but your plant, your budget, and your procedures are unique.
It’s your plant. Security is your responsibility. Here are the steps I recommend:
- Learn. What are the possible risks? What solutions are available?
- Assess. Evaluate the risks at your plant. Get professional help if needed.
- Design. What steps should I take?
- Implement. Put what you’ve learned and designed into practice.
- Monitor. Track attempted intrusions.
- Repeat. Security is a process, not an event. Things change. New threats emerge. New solutions become available.
Deniability is not going to be enough. Start now to secure your network. The Automation World webinar: Industrial Security in the Real World: Practical Steps does not assume you are in greenfield situation, it recognizes you already have a network and explains how to incrementally secure it. The PROFINET Security Guideline summarizes well-known security techniques.
Read the full PROFINET security guideline: