It is important to understand that the information security risks of the industrial internet come from the same sources as any other online threats. For example, paper machines are not vulnerable in themselves, but their auxiliary equipment, which is not always even thought of as online devices, should be protected. This auxiliary equipment is used to control conveyors, furnaces, cutters, and so on.
Large companies have sizable information security teams and also use external experts. Some companies put the responsibility on their IT support team and expect that to be good enough. Others simply make do with what they already know.
Including information security experts early on
We recommend including information security experts in business projects in the planning stage already and not only when the system is finished and ready for inspection – or worse, after damage was already done.
During planning, companies can point out their critical business areas and process stages for the information security experts to protect. This saves time and money. Globally speaking, Finland has a decent level of information security. We should take information security threats seriously but keep fears at bay. I am not looking to stoke fears about cyberthreats.
No rocket science is required for the information security solutions of the industrial internet, they can be understood with common sense. The key for security designs is to know what a given process or function must be protected against. Once the risk analysis is complete, the protections can be targeted correctly and the threat model maintained at the appropriate level.
Four types of network intruders
The first type of intruder are curious amateurs who are just trying their luck. The second type are activists who are driven by some ideology. The third type are criminals looking to benefit financially from stolen data by blackmailing the target, for example. The fourth type are state-sponsored threat actors.
Finland is not safe from attacks. Industry professionals regularly encounter attacks made with impressive resources. Likewise, industrial espionage is a reality for many companies.
Technical solutions are irreplaceable for building good information security
Many technical solutions, also sold by Sarlin, are invaluable when it comes to information security. A risk survey is required to choose the correct protection solutions. Combined with competent planning, tailored technical solutions form a complete system. The system’s devices must be configured correctly for the whole to function. Hardware alone is no guarantee of security.
In many cases, remote control is the Achilles heel of information security in industrial automation systems because it can take place next door or across borders. Likewise, maintenance and other partners need access to the system. Protections are especially important for remote control, including access restrictions for network users and secure VPN solutions.
The easy answer is to make a VPN tunnel from network to network and open it to all users, but a safer solution is to identify the users who actually need access, what permissions they need, and monitor their actions within the system.
Keep software up to date
Software updates can also be a problem. Updates should be applied in good time because they improve application functionality and patch known vulnerabilities. In practice, devices may only be updated every six months during biannual maintenance, for example, with no changes in the interim.
Another challenge for industry is the long service life of industrial machines and devices. Machines may be from a decade ago or even from a time before the Internet, and still expected to run for another twenty years. Their online connectivity relies on auxiliary equipment, which must be secured. Careful consideration of the purpose of use is required when choosing the technical solutions of auxiliary equipment because the selection is vast.
Firewalls are not enough
There can be no doubt about the necessity of a functional firewall and antivirus system. However, firewalls are not enough on their own because access must be granted for email, for example. Intruders always look for the weakest places in a network.
One solution is to use one-way gateways. These are useful when two-way communication is not required, allowing for easy separation of the “clean” private network and “dirty” public network. However, restricting the direction of traffic is not always enough. For example, the greatest threat to information security, people, may introduce malware to the control computer with an infected memory stick, even when two-way communication is blocked.
Good information security is underutilised as a competitive advantage. Information security should be discussed openly, and it is good to even discuss problems that have been overcome. Building good information security is a challenge for all business.
Impressive brands and logos are no guarantee of functional security, only active measures. If you openly share that you have encountered trouble but your solutions could defeat the threat quickly, this will be much more convincing than any brand.
Written by Janne Kauhanen, F-Secure Corporation
