No car manufacturer in 2015 would dream of producing and offering a car without an airbag on the market: the automotive industry has been able to make users understand the value of a new add-on, which is not useful while driving, but can save our lives in dangerous situations. Why is this message so difficult to convey to systems managers?

At the Seminary “The Digital Revolution and the risks for production companies” held yesterday in Milan, the moderator Andrea Zapparoli Manzoni (known expert of Cybersecurity) launched a provocation: it is still right to talk about SECURITY or is the term more correct SUSTAINABILITY?

Interest? Download the Complete White Paper!

4 nightmares of the ICT security manager

When adding value to an application (an extension, an implementation, an upgrade), the limits relating to the Security of new systems, connections and accesses.

IT infrastructure of an organization grows in proportion to its workforce: existing people are joined by new hires, PCs and laptops are purchased and connected, e-mail accounts are created, and users have access to the corporate network and the Internet.

It is a natural process, in fact it is a common commercial practice, but things get complicated when you get to the point of having to integrate into the same environment where there are automation and control networks, PLC and SCADA. At this point, the manufacturing or maintenance/engineering departments will most likely argue that the addition of Internet-facing servers on the same network, open the system up to the web, and thus increase the possibility of intrusions.

So let's try to define some basic principles: the first is the Need to integrate the control network with the corporate network

The idea is evident that once the doors open to the outside, the invitation for "things to come inside" is almost implicit.

In other words: Web and e-mail servers on the same network as SCADA servers are the beginning of a system that is easily targeted because, as hackers say, if you can ping it, you can easily "own" it.

A recent study conducted by Positive Technologies, found that more than “40% of the “visible” SCADA systems on the Internet are vulnerable and can be hacked by even people with little intrusion skills, even just through simple malware”.

This has prompted the US Department of Energy to suggest in its '21 Steps to Improve Cyber ​​Security of SCADA Networks', that industrial enterprises close all absolutely non-essential connections on their SCADA networks, in order to ensure the highest possible level of security.

The Department of Energy specifically calls for the elimination of any connections with e-mail and Internet servers and systems from the SCADA network, suggesting that hardening and strengthening the security of SCADA systems involves the interruption of connections to servers for remote maintenance, remote billing services, automatic metering, e-mail services and Internet access.

Some might argue that this 'door blocking' also means blocking the use of emerging technologies that allow greater operational efficiency.

For example, water operators can now access critical information from the SCADA system to better manage activities or follow standard operating procedures to respond to alarms directly on their smart devices (tablet or smartphone), all also based on geo-location. And plant operators can view screenshots on their iPad and access KPIs of the machinery they are physically next to.

While these features can be extremely useful in many situations, it is clear that they introduce some ICS Security nightmares. As the number of devices connected to the Internet will drastically increase in the near future, the right balance of connectivity while respecting security must be a top priority for those who own and govern ICS infrastructures, networks and control and telecontrol systems.