In my previous Introductory Post, I discussed what constitutes a “Hidden Asset” within the Process Control & Manufacturing Industry and as such, I have identified five Key Risk Areas where the importance of Hidden Assets should be given careful consideration. Today, I will discuss the 1st part of my Blog Series: Hidden Software Assets: Software & Cyber Security Integrity.
Modern Industrial Automation & Control Systems (IACS) are now more accessible than ever, but at same time more vulnerable to Cyber-attacks. There is an increased risk through through various channels such as:
- Data exchanges and merging with wider corporate business systems
- Use of non-proprietary systems (e.g Windows GUI/Workstations)
– Normal Risk-Assessment processes such as HAZOP are not sufficient to address security threats to IACS because they do not consider Multiple contingencies (several things happening at once) and Malicious Intent.
Cyber Security threats are a concerning issue in Industries today, however many management teams have been reluctant to recognise this strategic threat and business continuity risk – specific to their process critical assets (Process Automation, Industrial Control & Monitoring Systems).
A lack of understanding of the numerous external online threats from Infiltrators, Malware and Ransomware are becoming a serious risk to companies. While this is undoubtedly a problem, insiders who have access to process control software perpetrate nearly half of security incidents.
It is therefore crucial to have an effective security system in place and good understanding of the risk to both business and safety from a company’s own internal staff who have access to critical control systems. This internal threat happens in almost 50% of the security breach cases, resulting in damage to a Company’s reputation, lost revenue, breaches in Intellectual Property and reduction in share-holder value.
To avoid risk of data integrity and corruption, care should be taken when using storage media such as USB Devices and CD’s during the transfer stage of files, both to and from storage as it is likely that data has not been fully validated to assess its integrity.
- Separate Cyber security risk assessment is required (identify/ Assess/ Manage)
- Based on HSE Cyber Security Risk Assessment Framework (as referenced in IEC 61511)
Asset Guardian’s AG Software offers an effective solution to help protect the integrity of your process Control Software ‘Hidden Assets’ in accordance with IEC 62443, through:
- Preventing unauthorised access -to software, ensuring that the right person has access to the right information at the right time by providing a secure repository, where users need to log-in with user name & password.
- Use of ‘Checksums’ – which check the software for any corruption during uploads, storage and downloads of files, securely protecting ones Company ‘Hidden Assets’ and simultaneously ensure that the right version of software can be accessed quickly, allowing the plant, production line or facility to be safely returned to its pre-failure operational state.
AG Software also helps Mitigate Risk through:
- Maintain full inventory of all devices on Control Network
- Track vulnerabilities and cyber security risks associated with devices
- Track Strategies to Mitigate Risks: patching, virus scanners, white listing, etc.
- Management and Availability of Security Patches for all systems
- Track installation of patches across all devices
In the next part of my ‘Hidden Software Assets’ Blog Series, I will be discussing Disaster Recovery, and the importance of protecting these Software Assets. In the meantime, if you would like more information on Asset Guardian Software, please contact myself:
Business Development Manager
Alternatively, fill out the contact form and I will be in touch soon.
Written by Mark Steel. Mark Steel is a Business Development Manager for Asset Guardian Solutions Limited and cultivates relationships with existing and prospective clients in the UK, and is fully committed to increasing the profile of AGSL’s complete portfolio of capabilities, software products/solutions, and professional consulting services. Mark holds an MSc Degree in Manufacturing, Management & Technology from the Open University. He is an active member of Manufacturing UK, Manufacturing Execution Systems, Enterprise Software Sales Professionals, and Manufacturing Executives in the UK.