2013年6月18日

Big or Small, Defense in Depth Remains Vital

Posted by Torey Penrod-Cambra

Today we welcome guest blogger, Greg Hale, to the Kepware Technologies Blog. Greg is the Editor/Founder of Industrial Safety and Security Source, www.ISSSource.com.

There’s no disputing that big companies encounter security threats from cyber attackers every day—but people often forget that small to medium-sized businesses frequently suffer attacks as well.

It is these organizations that need protection most of all. Many fall into a line of thinking that places their company’s size before its value. By questioning their need for protection, and reasoning that they are “just a small company,” they put themselves at risk for trouble. 

Just ask CWI Railroad System Specialists in Berks County, PA.

In 2012, the train engine parts manufacturer had a hacker access their computer system and steal almost $200,000. The hacker easily bypassed the company’s security system and issued payments to banks in Virginia, police said. CWI thought that they had a “very protected server,” but apparently it was not protected enough. 

Cyber Security

Cyber security threats are global. A new report by the Federation of Small Businesses (FSB) and the Home Office and Business Departments found that small and medium-sized businesses in the United Kingdom are losing $1.2 billion (£785 million) per year to cyber crime.

These types of reports show that anyone can be a victim. Major oil and petrochemical companies are on one end of the spectrum: several were attacked in 2009’s “Night Dragon” hacking spree that resulted in the loss of vital drilling information, records, intelligence, and ideas. Small to medium-sized companies are on the other end of the spectrum, with losses that are just as important: many lose enough money or intellectual property to put their future in jeopardy. 

The Need for a Defense in Depth Program

The question that is always asked after an attack is whether the company had a solid defense in depth program—and if so, whether they adhered to it. Although a defense in depth program may not stop a truly targeted attack, it may provide enough layers of protection to slow down or prevent less-dedicated hackers from stealing a manufacturer’s crown jewels.

A defense in depth program must be user-friendly. It’s often helpful to shift the focus from protecting the system to knowing the system. Users should understand how to do the following:

  • Manage flows into and out of the Industrial Control System (ICS)
  • Subdivide the ICS by employing the zones and conduits approach
  • Detect any unusual behaviors in the ICS

Furthermore, any layered defense in depth program needs commitment and support from management. The company must adopt the security program and policies as a whole, and provide training to users and employees. They must also provide physical security, network segmentation and security, host security, application security, and data security.

Following a strong defense in depth program and remaining vigilant could pay off in the end. Studies show that “top tier” organizations with defense in depth programs are 2.5 times less likely to experience a major cyber attack, and are 3.5 times less likely to experience downtime compared to enterprises that do not.

Surely, the money saved by preventing 3.5 times less downtime will cover the cost of a defense in depth security program. Don’t you think being 2.5 times less likely to experience a major cyber attack makes this program worth investing in?

Download Kepware's Security Policies Plug-In Whitepaper