Security on a roll
“Industry is just now starting to learn what they need to know when it comes to securing a control system,” said Eric Byres, who heads up Byres Security, during Tuesday’s keynote address at the Honeywell EMEA Users Group conference in Seville, Spain.
“Accurate historical data is critical if we wish to effectively secure our control systems,” he said.
Toward that end, Byres’ company has an industrial security database with 22 companies that submit information. Right now, he has 135 incidents in the database and he gets 10-15 reports a quarter. Conservatively, Byres said, there are about 400-500 attacks on control systems a year in the United States. That does not account for attacks on systems in other regions of the world. The dynamic of who is hacking into systems has changed also. At one point, 58% of the attacks were accidental, 27% came from external sources and 15% were internal. Today, however, 61% are external attacks, 32% are accidental and only 2% are internal.
Knowing there are people planning attacks means companies should be proactive. “There are clearly some flaws out there,” Byres said. “We can’t stick our heads in the sand. We can’t hide behind security through obscurity. What we currently lack is security certification. We need a third party to test and certify that a system is secure.”
In addition, Byres said you would not believe what system a hacker can get into. He said even printers are susceptible to hackers. One time a hacker was able to use a printer’s system to spam pornography, he said.
“Anything that has an embedded processor needs to be secure,” he said.
Security does not come by just installing a firewall, but rather from an intelligent plan that adds layers.
“A single point of defense is a single point of failure,” he said. You need layers of protection.” But, he added, the manufacturing side of things has different needs and therefore should have a plan of attack for the plant floor. “We want security that works in our environment, not what works in the IT world.”
Ioannis Kioufis, DCS section head for Motor Oil (Hellas) in Greece agrees. “Security is like an onion; it has many layers.”
Simply stated, Kioufis said there are three layers of risk, high, medium and low. “Do you relax when you are low risk? No way. You have to work hard to stay at that level. Security is a journey, it is not a destination you never arrive.”
“If you prepare well,” Kioufis said, “your journey will be smooth. You can fight your enemies and win.”
Talk to me.
“Accurate historical data is critical if we wish to effectively secure our control systems,” he said.
Toward that end, Byres’ company has an industrial security database with 22 companies that submit information. Right now, he has 135 incidents in the database and he gets 10-15 reports a quarter. Conservatively, Byres said, there are about 400-500 attacks on control systems a year in the United States. That does not account for attacks on systems in other regions of the world. The dynamic of who is hacking into systems has changed also. At one point, 58% of the attacks were accidental, 27% came from external sources and 15% were internal. Today, however, 61% are external attacks, 32% are accidental and only 2% are internal.
Knowing there are people planning attacks means companies should be proactive. “There are clearly some flaws out there,” Byres said. “We can’t stick our heads in the sand. We can’t hide behind security through obscurity. What we currently lack is security certification. We need a third party to test and certify that a system is secure.”
In addition, Byres said you would not believe what system a hacker can get into. He said even printers are susceptible to hackers. One time a hacker was able to use a printer’s system to spam pornography, he said.
“Anything that has an embedded processor needs to be secure,” he said.
Security does not come by just installing a firewall, but rather from an intelligent plan that adds layers.
“A single point of defense is a single point of failure,” he said. You need layers of protection.” But, he added, the manufacturing side of things has different needs and therefore should have a plan of attack for the plant floor. “We want security that works in our environment, not what works in the IT world.”
Ioannis Kioufis, DCS section head for Motor Oil (Hellas) in Greece agrees. “Security is like an onion; it has many layers.”
Simply stated, Kioufis said there are three layers of risk, high, medium and low. “Do you relax when you are low risk? No way. You have to work hard to stay at that level. Security is a journey, it is not a destination you never arrive.”
“If you prepare well,” Kioufis said, “your journey will be smooth. You can fight your enemies and win.”
Talk to me.
posted by ISA at 10:01 AM
<< Home