Introduction
What is and is not allowed in a secured area, such as a control system environment, varies from organization to organization. This section will cover some of the most common equipment do’s and don’ts.
Computersđź’»
In many control system environments, computers that are not needed for control system operations are not allowed in the control room. One reason for this is that email, websites, and files from home are common sources of malware(viruses,Trojan horses spyware).
- Malware: Short for “malicious software,” software (usually a virus, worm, spyware, or a Trojan horse) designed to damage or disrupt a system.
- Virus: A small malicious program that replicates itself and self-propagates to additional computers over a network. A virus requires a host program, such as email, to propagate.
- Trojan Horse: A type of malware that disguises itself in the form of something desirable (emails from acquaintances, advertisements, etc.)
- Spyware: Software that covertly gathers user information through the user’s Internet connection without his or her knowledge, usually for advertising purposes. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about email address and even passwords and credit card numbers.
Some organizations do not have Internet connections within the control rooms and may allow limited use of computers not related to control room operations within them. When an Internet connection is allowed, it should be on a separate computer for an explicit purpose.
If a laptop is brought into the control center (for example, to install an upgrade), it should be scanned for malware before being connected to a control system device.
Know your organization’s restrictions and adhere to them.
Corporate Security Hole⛳
Employees Forwarding Email to Personal Accounts
Employees forwarding their work email to web-accessible personal accounts is a growing problem. When away from the corporate network, accessing email from these accounts is usually faster and easier than going through the corporate remote email solution. Atlanta’s DeKalb Medical Center began using systems to monitor outbound email after it became aware of the growing problem of doctors and nurses routinely forwarding confidential medical records to their personal web-mail accounts.
-From *SANS NewsBites* and *The New York Times*
Only software related to control systems should exist on computers on the control system network. Operating system extras, such as games and any other unneeded software, should be removed.
Many word processing and spreadsheet programs have the ability to run macros, which makes it possible for malicious code (Trojans and other malware) to run and infect a system and any systems connected to it. Do not run macros unless the file comes from a trusted source. Similarly, malicious websites can install malware on a computer without your knowledge.
Additional guidance for applications in the control room
- If Internet access is needed to run the control system environment, then it should be accessed from a different network from the control system network.
- If Internet traffic is allowed into the control system network (for example, to download software and firmware upgrades), it should be restricted to a single dedicated system, not to control systems. Any downloads should be scanned for malware before installation on a control system device.
- Internet traffic should never be allowed out of the control system network.
Removable Media
A word about Flash Drives:
USB flash drives are a wonderful invention. You can transport large files to a customer’s office and access the data without worrying about compatibility. You can take work home, and you can travel with just the flash drive instead of lugging a laptop around.However, flash drives also present many risks.
- ***Malware.***Organizations can greatly reduce the spread of malware on their network by installing antivirus software on email servers and prohibiting certain websites, but the use of flash drives can bypass these safeguards.
- ***Data theft.***Any unattended and unlocked computer with a USB port is an easy target for an adversary with a flash drive.
- ***Data Loss.***The portability of flash drives also increases the potential for lost data falling into the wrong hands. Most of these devices have little or no security features. If you happen to lose your flash drive, anyone who finds the device may be able to access its data.
Removable media need to be treated with great care. These devices can be inserted into a control system or other system, and either accidentally or intentionally transmit malware or interfere with the system’s function. To prevent malware, the following precautions should be taken:
- Media should come from a reputable source such as an employee or trusted vendor.
- Media should be scanned for malware before being connected to any device in the control system environment.
- Media contents should be reviewed before connection to a control system device.
Removable media include the following:
- USB flash drives
- MP3 players
- digital cameras
- removable hard drives
- magnetic tapes
Visitorsđź“ş
If you are hosting or otherwise responsible for a visitor, you should ensure the visitor complies with your organization’s policies. For example, it is rarely appropriate for a visitor to be taking pictures of your control center with his or her smartphone.
Take care with what information you disclose to visitors, both verbally and through what is visible in your office or the control center. Although it’s natural to want to be helpful and talk about your work to an inquisitive visitor, never reveal critical information.
Lets Summerize it up
We have learned about items and activities that typically are not allowed in a control system environment.
Specific items that were covered include:
- Computers that are not needed for control system operations often are not allowed in the control room, and if they are, their use is limited.
- Any software that is not related to control systems is often prohibited in the control room.
- If removable media (for example, flash drives) are allowed in the control room, they should be treated with great care.
- Be sure to comply with your company’s policies regarding visitors.
References
Cybersecurity Practices for Industrial Control Systems by CISA