IT System Security Best Practices

For years, we secured process control systems with a combination of “security through obscurity” and willful ignorance. Increased threats from malicious hackers, often sponsored by nation-states and criminal organizations, are demonstrating that neither of these approaches is sufficient.

If you hope to keep your manufacturing processes safe, you have to lock them down.

1. Stiffen up those passwords

The first step is the most obvious: change your default passwords. The number of product manufacturing and process control systems that still use factory-assigned passwords remains staggering. Meanwhile, these commonly assigned passwords get easily searched on Google.

However, when you change it, don’t just go tapping out the six most natural characters on your keyboard.

Security firm SplashData’s annual Worst Passwords list has had the same top-two spots for five years: “123456” and “password.” The company estimates that three percent of users used the former.

“Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure,” said Morgan Slain, chief executive of SplashData, upon the release of the 2017 list.

2. A default by any other name

Step two is similar: Change the default names of devices and networks. This step is fundamental, but one that too many manufacturers fail to take when deploying control systems.

While keeping a default name does nothing to make your password easier (or harder) to hack, it serves as a proverbial red rag to a hacker. If you’re too lazy to change the name, you probably didn’t bother to change the password.

Having a name that in no way references your router will make you a far less appealing target. Meanwhile, your default password, which you should still change, that much more difficult to Google.

Now that we took the essential steps, it’s time to work on more stringent IT system security strategies.

3. Process control and business networks: separate but equal

Treat your process control network like you treat your business network. Each is equally important, and the two relate together for your business. But don’t confuse equal treatment with lumping the two in the same basket.

Treating the process control network like your business network means building a perimeter around the manufacturing network similar to the one built around the financial and IP portions of your business.

That means a firewall and IPS (Intrusion Prevention System) or UTM (Unified Threat Management) controlling network traffic. Unusual traffic through and out of the system is often the only way to detect an intrusion.

As for separating the two networks, this is important because a vulnerability in one system can quickly introduce malware into the other.

Business-side users, for example, might be more likely to use thumb drives that could carry malware targeting industrial controllers. Meanwhile, a poorly defended manufacturing line can provide an easy attack vector for malware that could move into critical databases.

IT system security professionals are beyond the point of wondering why a hacker would be interested in a production line. Whether they’re interested in disrupting the manufacturing process, stealing intellectual property, gaining access to data beyond the factory floor, or extorting your company, process control makes an inviting target.

Lock yours down and avoid becoming the headline in your own horror story.