Original article from http://www.industryweek.com
By Travis Hessman
With industrial attacks on the rise, manufacturers are learning that high-tech defense depends on one vital nontechnical tool: education.
“We are engaged in actual digital combat,” explains Brad Hegrat, principal security advisor and manager of business risk at Rockwell Automation (IW 500/174). “It’s no longer a matter of if you’re going to be penetrated by some sort of advanced threat; it’s more a matter of when.”
The sky is falling.
In April, the entire Internet – all 3.7 billion connected computers and devices in factories, pockets and offices around the world – was pinged by a single operator. Just for kicks.
That ping painted a global map of the Internet riddled with cyber-security holes and easy targets, highlighting about 310 million IPs open for attack.
In that map, there are about 114,000 vulnerable manufacturing control systems, about 13,000 of which can be accessed without inputting a single password.
The industrial world, it appears, is wide open for a cyber massacre.
Which may actually already be under way.
“We are engaged in actual digital combat,” explains Brad Hegrat, principal security advisor and manager of business risk at Rockwell Automation (IW 500/174), which manufacturers the kind of control systems being targeted by these industrial hackers.
“It’s no longer a matter of if you’re going to be penetrated by some sort of advanced threat; it’s more a matter of when,” he says. “If a threat actor decides to focus on your environment, you will be penetrated. It’s simply a fact.”
Such attacks, Doug Wylie, Rockwell’s director of product security risk management, highlights, hold some serious damage potential.
“Unlike some of the traditional IT-based systems that are focused more on protecting the communication and financial sides,” there are some further reaching consequences that come with industrial control,” he explains. “We’re dealing with systems that are facilitating controls of critical infrastructures, oil and gas, water, food and beverage.”
These applications, he says, demand a higher-level of attention than normal system security.
The focus of that attention, however, doesn’t necessarily mean building the impenetrable high-tech fortress one would expect.
Rather, it seems to come down to a combination of robust technical protection measures with equally robust non-technical elements – that is, a well-trained, security-conscious workforce.
“There is a huge push for tech. We like new equipment and new software; it makes us feel safe,” Hegrat explains. “But one of the most important things that a customer can do is to make sure that they have the new technical elements up and running.”
Believe it or not,” he adds, “you can get more done with sound policy and procedure than with technology acquisitions alone.”
Making that happen, however, requires a cultural shift in the industry, says Wylie.
“It comes down to education; education is the number one thing you can do,” he says. “You can’t solve everything with technology.”
“In World War II, they had this saying, ‘Loose lips sink ships,'” Hegrat adds. “Today, it’s, ‘Loose clicks sink enterprises.’ You get that sort of mindset back and you’re going to do far greater good than any technology can do.”