Automated Systems Protection

Automation systems seem to add new technical capabilities almost daily. Modern automation systems use information technology (IT) capabilities to provide better control of the automation. Those IT capabilities require security, regulatory compliance, and operations management like never before.

The past two years have been a wakeup call for the industrial automation industry. It has been the target of sophisticated cyber attacks like Stuxnet, Night Dragon and Duqu. An unprecedented number of security vulnerabilities have been exposed in industrial control products and regulatory agencies are demanding compliance to complex and confusing regulations. Cyber security has quickly become a serious issue for professionals in the process and critical infrastructure industries. If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organization can get moving on more robust cyber security practices.

We can offer you the guidance you need to achieve success. Our security services will put you on the right path in far less time than it would take if you were to begin on your own. We scour numerous industry standards and best practice documents, seeking the most comprehensive method to secure your environment. We combine our experience in assessing the security of industrial control systems, large corporate network topologies and decades of experience.

The result is an easy-to-follow 7-step process:

  • Step 1 – Assess Existing Systems
  • Step 2 – Document Policies & Procedures
  • Step 3 – Train Personnel & Contractors
  • Step 4 – Segment the Control System Network
  • Step 5 – Control Access to the System
  • Step 6 – Harden the Components of the System
  • Step 7 – Monitor & Maintain System Security
Request More Information

Control networks are targeted by the same modern cyber security threats that typical corporate networks face, but many industrial control systems in operation today were designed during a time when it was sufficient for networks to be physically separated (“air-gapped”) from their corresponding corporate networks. Designed under a model of implied trust, it was assumed that the only way a system could be on the control network was because it was explicitly authorized to be there. Therefore, it followed that there was no reason to specifically authorize communications between systems. But amidst the sensationalism the Stuxnet worm generated for its ability to sabotage an air-gapped control network, there was an important lesson: Air gaps as a cyber security technique have run their course and are no longer effective.

At the same time, it is important to recognize that information technology (IT) security solutions in use on the corporate network can’t be deployed interchangeably to protect the control network. The two management teams have different priorities. While IT is typically focused on the triad of confidentiality, integrity and availability, the control network operations technology (OT) team is focused on availability, integrity and confidentiality. When control networks fail, there are very real risks posed to human life and environmental safety. Availability and reliability are paramount and must be maintained at all times. Another consideration is ease of use. It is not uncommon to find cyber security as one of many functions for which OT engineers are responsible. Therefore, cyber security solutions deployed in control environments must be intuitive with minimal management requirements.