"Balancing usability & security is always a challenge"

by Sharon Lobo    Jan 16, 2013

Mike Baldi HoneywellAs the security landscape continues to evolve, it brings along various other aspects including industrial cyber security. In an interview to CXOtoday, Mike Baldi, Senior Principal Systems Engineer, Honeywell Process Solutions, explains how industrial security differs from traditional types of security and how securing critical infrastructure involves changing processes rather than only implementing solutions. Edited excerpts.

How do industrial cyber security solutions differ from traditional security solutions? Could you cite a few latest developments in this space?
The primary focus of industrial cyber security solutions is to secure industrial control systems, which are installed in places such as chemical plants, refineries, mills etc. Traditional security solutions which are deployed in banks or financial institutions are designed to secure information against theft, but in case of industrial security solutions, the systems to be secured actually controls entire operations of a plant.

Application whitelisting has been recently introduced to industrial cyber security solutions and this enables in providing protection to each individual node, which was not possible only using an antivirus. Also you need to consider all potential scenarios of an attack, for example if the IT personnel of a plant is threatened to install a malware infested USB stick in to the plant’s systems, in such case how will you protect your plant. In such scenario, application whitelisting only allows the system to read USB stick of a certain serial numbers and if necessary can lock down a node saving the entire system from an attack.

Hactivism is not about ‘if’ you will be attacked but instead ‘when’ you will be attacked. What loopholes need to be plugged to avoid such attacks?
Responsible disclosure needs to be adopted in case of hacktivism, for example if a business finds security issues with its control systems they need to contact the vendor, who in turn will fix the problem and only then go public about it. This way the vendor gets the credit and there is no danger to the customer’s plant. While most of the vendors work with governments to define responsible disclosure, unfortunately there is no way to enforce that as there is no law or punishment for disclosing vulnerabilities. However, through mutual cooperation we plan to tackle this issue.

Some view security as a preventive tool, while others look at it as a cure. How do you convince the latter to implement security as a pre-emptive measure?
These days, quite often you will find reports on security breaches all over the place. In such situation, industrial control systems are becoming targets. For example, if you can disable a refinery or a group of refineries from a faraway place using a computer, would you ever require to use lethal weapons? As a result, if you do not secure you control systems you could end up losing a lot.

Too much security could lead to low productivity. How do you balance the two?
It is always a challenge between usability and security. You cannot lock down your system so tight that it is difficult to use or even unusable. Instead, you could implement local security to a level that is usable and add additional protection on the edges to protect for external threats.
You also need to deal with innocent activities that could be potentially dangerous to your critical infrastructure. For example, once I visited a plant, where the operators had plugged-in their smartphones to their stations to charge them without realising that their devices could be potential malware carriers. In such cases you would need to change your processes.