Defense systems are, by design, built to defend against threats. Today, however, manufacturers of these systems are focusing on an entirely new kind of threat: security breaches targeting their automation systems.
Trying to manage today’s threat landscape can seem like an immense task. The malware attacks of last May vividly illustrated how vulnerable companies are around the globe from outside bad actors. And concerns about insider threats—malevolent or innocent—are growing.
Military sequestration, which has tightened budgets and made investing in new security more difficult, further complicates matters.
Even amid these challenges, defense manufacturers can take some key steps to create an effective industrial-security strategy.
Know the guidance: Government agencies are increasingly making security a requirement in contracts.
Manufacturers should actively work to align their security efforts with what will ultimately be expected from government customers. A good way to do this is by following best practices in some key security-related guidance documents:
• NIST Special Publication 800-30: Guide for Conducting Risk Assessments
• NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
• NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security
• NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
Manufacturers also should ensure compliance with the IEC 62443, standard series, which specifically addresses securing industrial control systems and aligns with NIST 800-82.
Take a comprehensive approach: Risk assessments are essential because each manufacturer will face different threats.
NIST 800-30 provides guidance for conducting risk assessments and maintaining them over time. In the end, the assessment should provide: a full inventory of authorized and unauthorized hardware and software; documentation of system performance; identification of tolerance thresholds and vulnerability indications; and prioritization of vulnerabilities.
Free and confidential risk-assessment tools are available to help identify a facility’s risk level, benchmark it against similar facilities, and identify potential mitigation methods.
When implementing a security framework, no single technology or methodology is enough. A comprehensive defense-in-depth (DiD) security approach should be used.
DiD security uses a multilayered security approach to establish multiple fronts of defense. It addresses security at six levels: policy and procedure, physical, network, computer, application and device.
One security technology that can help any defense manufacturer is anomaly-detection software.
The software scours the deepest levels of an industrial network to spot anomalies at different stages of a breach. And it can help detect a diverse range of threats.
Also, as government bodies move toward adopting anti-counterfeiting requirements, manufacturers should look to secure the supply chain. This could include using serialization solutions, as well as updating policies to ensure they only work with trusted vendors that share similar security principles. These principles should include vulnerability management, incident response, product authenticity, and certification by an international standard, such as IEC 62443.
Be proactive, stay flexible: Our connected world presents countless opportunities to be more efficient and agile–and big security risks.
Defense manufacturers must proactively address their own and their customers’ industrial security requirements and continuously adapt security programs to new customer requirements, as well as new threats.