“The problem is that security is not a product you can pick off a shelf, security is something you have to create”,
explains Siemens Manager Marketing Industrial Security Tino Hildebrand. Security begins on the management level and ends with each and every employee. When staff members write their PC access codes in the telephone directory or even attach them to the monitor in full view scribbled on a memo note, then there is a lack of understanding about security awareness.
These bad habits are widespread and offer a simple route into the network for would-be perpetrators. Only when every individual understands the risks involved and when a security policy is firmly rooted into all their actions, will hackers, saboteurs or spies be deterred.
Security is afforded by such simple measures as locking doors to server cabinets and distribution boards, providing access control systems to restrict entry to rooms and computers, installing locks for USB ports and setting up extensive security checks before allowing access to programs. “Security is a process. Once it has been introduced it has to go on being tested, updated and maintained over the entire life cycle of a plant or system,” emphasizes Hildebrand. In the face of ever more specialized attacks on individual complex systems, new and different defense strategies are called for.
Security concepts borrowed from classical office IT systems cannot be directly transposed for use in automation technology. Quite distinct protection needs and requirements in fields such as real time behavior call for a different approach and a different type of security solution. Another factor is that universal IT security product suppliers such as McAfee, Symantec, Trend Micro, Cisco and others have only recently turned their attention to developing components specifically for industrial controls. Standard IT software products currently offered are not well-suited for use in production. To be truly effective, virus databases have to be updated on a daily basis. In a production environment, scope for these regular updates is restricted: Regular virus checks would increase the system load to such an extent that it would compromise real-time capability. Importantly too, many systems operate around the clock, allowing maintenance teams only limited scope for keeping operating systems abreast of the latest developments.