The success of security Five Steps to Securing Critical Infrastructure efforts is not easily quantified. Engineering teams define success as meeting hard numbers. For example, a standard SCADA reliability metric is less than six minutes of system down time per year. Security teams’ achievements, rather, are more subjective. How do you prove to an engineer just how critical a firewall is to an industrial control system’s functionality? Once we figure that out, engineering teams will finally realize that security is vital to SCADA reliability or to nuclear plant safety, but here are some important:
- Prioritize security: To emphasize security’s importance, allocate resources and provide incentives throughout the lifecycle – from system design to operations management.
- Take inventory of all equipment: Identify all cyber-vulnerable equipment – “You can’t secure what you have if you don’t know what you have!”
- Conduct a risk assessment: Determine how each piece of equipment contributes to your system’s overall mission to guide decisions about which controls should be most protected.
- Define policies and procedures, and train employees: Explain why security policies exist. Industrial control system teams recognize the need for productivity, reliability and safety policies, and should have the same understanding for security policies.
- Ensure technology is benign to operations: Security technology should help, not harm, overall operations. Make certain that all protection efforts contribute to achieving the objectives of control system efficiency and dependability.