Your security Is worse than you think It Is
A recurring problem in nearly all of our audits, is that after we begin to look at what is underneath those previously unturned rocks, it becomes apparent nothing is as secure as the owner or manager expected.
Leadership in any field requires constant effort and direction from management to the entire company, if a company wide strategy is to ever succeed.
And so it is with Security as well.
An astonishingly high number of companies will make bold proclamations of security policies, new security systems, and then find that the rank and file have actively subverted, ignored or misunderstood.
The leadership team have a choice to fork the path in two directions to combat this:
- Demand high compliance with the directives, re-emphasising the importance and need to achieve the set goal.
- Re-think how they are communicating to their staff and partners, and change up the approach.
You will slowly lift the reluctance to change procedures, but human nature being as it is, there will always be people looking to go back to the comfort of the “old way” and complain about the change for the sake of it, or actively subvert the security measures.
Take a different approach in communication, allow both staff and partners to be involved and encouraged to speak their mind in regards to the business. Different approaches will identify various issues within the business, allowing change to be made.
More secure practices have to become a native part of the work a company does every day. A simple truism, unless you put in the work to be more secure, you will fall afoul of an external or internal attacker and suffer major disruption, loss of brand reputation, direct and indirect loss of revenue, and potential regulatory penalties.
But we cannot drive security improvements through fear of consequences. Security has to be communicated in a way that enlists everyone to want to improve the state of things.
The difference at OpusV
We at OpusV have spent some time trying to reframe ourselves not as the unexpected inquisition, but as partners who can help translate and ease in normal everyday practices that while being more secure, actually benefits the day-to-day operations of a business.
For example, an engineer will need to login to a range of OT equipment that is attached to a power generation farm, finding that he has dozens of devices, all with generic “admin” or “Installer” logins. To manage this, those passwords may or may not be in a password manager, but, more often than not are stored in an excel spreadsheet that everyone has access to.
When an engineer interacts with a device, there is no trail of who logged in, when, or if they are colliding with the login of another engineer at the same time.
This setup prevails because managing passwords becomes a significant and complex task across an organisation, and even more so when taking into account contractors, sub-contractors, suppliers and vendors.
Thus, the security falls to the wayside in the aim of pragmatic “a whole bunch of people need to access different devices, so we ‘simplify’ to bad security practice”.
At OpusV we have seen this frustration, and the problems of a poorly organised security situation.
Our identity solution, IXID, allows for a simple user enrolment process, and can tie in a large range of OT devices, allowing for an easy transition to:
- A single login per user.
- Clear, manageable, and easily updatable permissions per individual User, or by assigned Groups.
- A clear log of which user has accessed which device.
“John” logged into “PLANT-RTA-01” at “23:39:05”
With the Critical Infrastructure clock about to start ticking, and plant owners and asset managers scrambling to work out how to implement a Risk Management Plan in the required timeframe, simple systems that make engineers and managers life easier are the clear path.
Security is not a tick the box, turn the key, and leave it running approach. It’s a broad-based approach to everything, where the day to day of access, control and management need to subtly or drastically change. Don’t throw security onto the pile, hoping the staff pick up what is necessary to be done.
We are always delighted to chat with anyone who would like a practical example of our IXID identity product for power generation systems, talk to us today!