The best way to succeed is to identify how to fail, then adapt accordingly. So, here’s how to lose:
- Focus on technology, not psychology.
2. Think that cyber security is an IT-only problem.
3. Believe that an air gap will save you.
We live in a connected world and that’s not about to change. Actually, our world will only become more connected – think Internet of Things – and whether or not some things should be connected is irrelevant. As long as the perceived benefits are greater than the risks, expect more connectivity.
Great. What do you do?
It’s important to understand that the good guys and the bad guys have one thing in common: they’re human. We all have our priorities and those drive our behavior. Your priority is to maintain safe, reliable service. You’re going to follow established processes and procedures that will help you meet that goal.
An attacker’s priority is to steal your data and/or disrupt service. And they will use any means at their disposal to do so.
To defend yourself, you need to stop thinking conventionally and think like a hacker.
To be clear, there is a difference between hacking for good – white hat – and hacking for evil – black hat. Most hackers are of the white hat variety, but understanding how hackers, in general, think is important. How so? First off, hackers are always asking themselves, “What if…?” In other words, how can the conventional be used in unintended and unexpected ways? Think MacGyver. They don’t want you to see them coming.
Secondly, hackers love a challenge. If your organization is a high-value target, they’ll take all the time in the world to indulge themselves. The upside for vigilant defenders is that there are early warning signs that will alert you to their presence before they can do any real damage.
Lastly, hackers are opportunists who seek the path of least resistance. They won’t follow your org chart – they’ll exploit it. So if you think cyber security is somebody else’s issue, you’ve given the bad guys a hand.
Ready to play defense? Let’s try an exercise. Look around. Select a networked device and try to think like an attacker. Are you asking yourself, “Who would want to attack that?” If so, then you have just found yourself a potential attack target.
The more innocent a device may seem, the more attractive it becomes to an attacker because you’re not watching it. To the attacker, it’s a gateway to dig further into your network toward the real prize.
Now look around your control center. How many mobile devices are being charged through USB ports? How many of those devices have Bluetooth or Wi-Fi enabled? Is anybody using USB sticks? (I hope not!)
Everything is fair game to an attacker, and they will come at you from any angle they can find. Therefore, your defenses need to be layered and integrated.
This is defense-in-depth. Stuxnet proved that the air gap as a sole defense is a fallacy. The reality is, no one defensive technique can provide full protection. But if you make an air gap a part of your defense-in-depth strategy, you’ll be on the right road.
We aren’t going to become any less connected – the benefits are just too great. Those benefits bring risks that, like it or not, are now all of our responsibility to mitigate. So remember to put on a black hat once in while. You’ll be the better for it.
To learn more, check out our guide 10 Questions for Your Industrial Control System Cybersecurity and our latest Factory Security Whitepaper.
To receive future Manufacturing blogs straight to your inbox: