Power is a fundamental resource. It fuels civilization. It is critical to economic and military defense infrastructures – and it is an obvious target for security threats.
As a result, any company that generates power must be especially vigilant when it comes to understanding evolving cyber security threats. It is imperative that power producers keep current on the latest processes and solutions that can be implemented to combat these threats.
Simultaneously, many power producers are looking to update their systems and technologies to meet new regulatory standards or replace obsolete or aging systems.
For many long-standing facilities, it may not make sense to perform a complete plant overhaul – instead, hybrid solutions may be more financially feasible to help improve production and achieve regulatory compliance.
But piecing together the right combination of technology and processes presents its own challenge. Few plants have staff with the knowledge and skills required to understand not only what new systems are needed, but also how to design, deploy and maintain more secure and connected systems. In addition, such systems must be designed and deployed with a holistic view of cyber security.
Holistic industrial security is enterprise-wide, starting at the plant level and encompassing every individual end device. It addresses risk from all sides: people, processes and technologies. And, it brings together IT and OT teams, both of which are indispensable in securing network architectures.
So, as cyber security threats significantly increase each year, what can you do to help protect your operations? Take a holistic approach by considering these three steps:
Security Assessment: Power producers must cultivate a deep understanding of all risks and vulnerabilities that exist within their organization. A security assessment offers a fresh and thorough review of site infrastructure nuances, software, networks, control systems, policies, procedures and even employee behaviors. It’s the foundation for a successful security policy.
Key deliverables for any security assessment include:
- Inventory of authorized and unauthorized devices and software
- Detailed observation and documentation of system performance
- Identification of tolerance thresholds and risk/vulnerability indications
- Prioritization of each vulnerability based on impact and exploitation potential
- Mitigation techniques required to bring an operation to an acceptable risk state
With an assessment in hand, implementation can begin.
Defense-in-Depth Security: Defense-in-depth (DiD) security is based on the idea that if any one point of protection is defeated, additional layers will subsequently need to be defeated. Therefore, DiD security establishes multiple layers of protection through a combination of physical, electronic and procedural safeguards. A defense-in-depth security approach consists of six main components: policies and procedures, physical, network, computer, application and device.
Trusted Vendor: Your plant’s automation system is likely a small part of capital assets or costs. However, it can have a disproportionately large impact on helping you meet your security goals – similar to the impact it has on your production, quality and safety goals. Before selecting vendors for any system that will be connected to your network, request that they disclose their security policies and practices. At Rockwell Automation, we’ve formed a strategic partnership with Cisco to better understand evolving cyber security best practices. We’ve defined five core security principles for designing products used in a control system:
- Secure network infrastructure
- Authentication and policy management
- Content protection
- Tamper detection
Power generators should look for a structured and tailored approach to meet physical and cyber security requirements. Multiple layers of protection, a highly integrated cyber security suite and other upgrades can help producers get ahead of risks already running throughout the industry. Learn more about the steps you can take to mitigate risk in your power plant.
Published March 5, 2018