The current (Jan 2012) issue of GE measurement and control’s Orbit magazine includes an introduction to cyber security. This begins with a bewilderingly long list of standards and regulations that impact cyber security. Risk management and defense-in-depth are essential strategies with NIST SP800-37 a framework for information system security risks. ‘Defense in depth’ involves multiple layers—network, host computer and application defense. GE uses ‘misuse’ and ‘abuse case’ scenarios to identify security requirements. Manual and automated code reviews, ‘fuzz testing’ and penetration testing are also useful. GE has begun to evaluate its security posture using the ‘building security in maturity model’ (BSIMM). This joint industry working group, publishes a suite of recommended practices and self-evaluation tools. GE has also initiated an internal certification program to secure products early in the development lifecycle.
Anti virus vendor Kaspersky Labs has produced a white paper enumerating ‘ Ten ways the IT department enables cybercrime.’ These include neglecting proliferating copies of data on USB sticks etc., failure to appreciate the value of data on mobile devices and being in denial about personal use of laptops and other mobile devices. It is a moot point as to whether these are really the IT departments fault. Left to its own devices, IT would ban iPhones etc. and go back to diskless workstations without USB ports.
A new report from Industrial Defender and Pike Research highlights the need for an integrated approach to security, compliance and change management in industrial control systems. The report, ‘ Convergence in Automation Systems Protection’ found that as automation environments were developed over decades without a master plan, they now contain heterogeneous systems that are difficult to manage. This, combined with limited resources, and the ‘exponential growth’ of intelligent device deployment is creating an environment in which operators have limited experience.
© Oil IT Journal - all rights reserved.