It has certainly been an exciting time to be in Industrial Security. This year we’ve seen attacks on the water supply in the US, on oil pipelines, and our health care systems. While these can be concerning events, I often get frustrated with the media coverage. To the general public, such events are often presented as apocalyptic and that our society is unable to do anything about them. But, in reality, we can.
Cisco’s leadership in industrial security
If you haven’t read my posts before, let me introduce myself. As an engineer in Cisco’s Federal division, I focus on the Internet of Things (IoT). That term means different things to different people. Within Cisco, it’s mostly about building networks that connect useful devices, rather than the users. I find industrial security fascinating. But the best part about it is helping customers who are trying to accomplish their mission securely and safely.
In an upcoming blog post my colleague, Emory Miller, will touch on critical infrastructure and how our customers are responding to the challenge of protecting the networks that keep our modern life spinning. Unfortunately, our customers are often in a difficult position. They’re trying to do more with less, trying to gather data from some really old networks, and trying to defend devices that may have been designed and built long before the concept of ransomware was even known. To top it all off, I think some of the advice they are given is probably overwhelming, and often unhelpful.
Where to start when it comes to industrial security
Fortunately, when it comes to industrial security, the best advice out there is actually straightforward and pretty easy to implement. A good example is the joint advisory by the NSA and CISA that provides recommendations for immediate actions to reduce exposure across all operational technologies and control systems. The whole document is five pages long (and one of those pages is notes). Let me just highlight a couple of things from the remaining four pages:
- Have a plan and exercise it: But make sure that there is a written plan for bringing your industrial devices back up – this is a key first step. And be sure to have backup copies of all the software for those devices.
- Make a map of your network: Calculate how many industrial devices your organization owns. Discover what devices are actually connected to the Internet. Understand how devices are connecting to the corporate IT network.
- See things from your adversary’s perspective: There are tools like Shodan that will search Internet connected industrial devices around the world. By looking for your own organization and devices, you could uncover vulnerable devices you weren’t aware of.
I only mean to highlight a few of these recommendations for industrial security. And these recommendations may not fix all of our critical infrastructure problems. But, unlike the media, I feel the cybersecurity challenges facing both the public and private sector can be overcome. Attacks on our critical infrastructure may, indeed, be a permanent part of our IT landscape. Fortunately, the vast majority of them can be prevented or mitigated through some very simple steps. I wish that was reported more often.
Next steps
Please feel free to contact me if you have any questions about industrial security. Or take a look at our Industrial Security Design Guide to take a deeper dive on the topic. And remember, when it comes to industrial security, there are many simple steps you can take today to keep our critical infrastructure more secure.
I totally concur, (industrial) security is no rocketscience. Recommended actions completed by a decent patch management and rest risk reduction can save you a lot unnecessary trouble and image loss.