The Truth About Cybersecurity - 4

S P ON S ORE D BY

CYBERSECURITY

phishing (email) attacks, watering holes
and other social engineering, which cyber
criminals commonly use to prey upon an
unsuspecting workforce and gain access
to your networks. Malicious actors attempt
to entice employees into providing sensitive
personal or corporate information, such as
account passwords or details about your
infrastructure. To prevent these situations,
provide initial and recurring cybersecurity
training to your employees to help maintain
the security of the operation.
Once cyber-educated, your company must
have procedures in place for security across
your operations. Be aware of and adhere to
industry standards and best practices. Follow
respective vendors' documentation for systems
setup and configuration to ensure they are
as secure as possible. For example, ISA99/
IEC 62443 is a rigorous standard for industrial
automation technology. It works to safeguard
operations across multiple layers. Schneider
Electric has adopted a "defense in depth"
strategy to prevent or minimize cyberattacks.
This multipronged defense system adheres to
ISA99/IEC 62443 standards and involves the
creation of a multilayered and multi-technology
strategy to safeguard critical systems. The
defense-in-depth strategy is a holistic security
approach.
Next, take a close look at your technology.
Understand what assets are most vulnerable or
create the greatest risk in your business. Make
sure your assets build in the strongest cybersecurity features and meet stringent requirements for safety, cybersecurity, risk reduction
and continuous operation in your industry.
Safety Instrumented Systems should be compliant with the IEC 62443 standard and certified
by TÜV Rheinland for use in safety applications
up to Safety Integrity Level 3. They should also
be ISASecure® EDSA Level-1 certified, the
industry's leading cybersecurity certification
for control systems, safety systems and system
components. Assess and review your systems

SCHNEIDER ELECTRIC
www.schneider-electric.us/

to detect gaps and uncover any security
malpractices. Assess your staff's security
competencies with the equipment. Personnel
need to have a good understanding of the level
of protection within those assets, understand
where they may have potential gaps and have
a plan in place to address issues.
Conduct a thorough assessment of your
industrial control system, including the corporate enterprise segments. Many companies
have a range of technology from different
vendors and different eras. You need to be
aware of the integration of different systems
and the security implications. After completing
an inventory of your systems, machines and
software, you can eliminate any elements that
are not serving a purpose. Reducing your footprint will reduce your attack surface, making it
harder for malicious actors to find a vulnerability to exploit. It is important to manage the
risks when connecting any machine on an
industrial control system (ICS) to a machine
on a business network or to the internet. Even
though your ICS may not directly face the
internet, pathways may still exist. A persistent
cyber-threat actor can find these pathways
and use them to access and exploit systems
to cause a cyber incident. To reduce network
vulnerabilities, eliminate superfluous channels
between devices on the control system and
equipment on other networks. In short, plug
every hole by following best practices that
secure communication throughout your
organization.
Finally, understand that security is a
journey not a destination. Securing your digital
enterprise is a constant cycle. The strategic
planning, training, adherence to standards,
testing, and reviewing and refining procedures must be ongoing to continually defend
your business. Cybersecurity risk, as with all
risks, cannot be eliminated. Instead, it must be
continually managed. A proactive and robust
cybersecurity strategy will have more than just
a positive effect on your bottom line.

28%
"Only 28% of industrial
organizations use a
lifecycle approach to risk
management."

Peter Bussey,
Research Analyst
LNS Research

AUGUST 2018

https://www.schneider-electric.com/en/download/document/998-2095-05-05-14AR0_EN/ https://www.schneider-electric.com/en/download/document/998-2095-05-05-14AR0_EN/ https://www.schneider-electric.com/en/work/services/field-services/industrial-automation/industrial-cybersecurity/design-implementation.jsp http://www.schneider-electric.us/

Table of Contents for the Digital Edition of The Truth About Cybersecurity