Smart phones can be an asset on the plant floor, letting operators look at current plant data and make intelligent decisions. But, should personal devices be checked at the door, and are they a potential risk for cyberattacks? (NIST has been working on a way to make these devices more secure than they have been. Check out NIST’s Special Publication (second draft) entitled “Derived Personal Identify Verification (PIV) Credentials.”).
Steve Pflantz, CRB: Cell phones can connect to your facility network, and therefore, are a risk. Their connection to your network needs to be controlled and monitored just like any other wireless device access. If you are going to allow access via personal smart phones, the same level of control and use policy needs to apply just like company-provided phones.
Scott McCausland, Process and Data Automation: This is a touchy subject due to the popularity and convenience that immediate access to information can provide. By the nature of the device being "always connected," it does pose a security risk. It is hard to argue, with a security mindset, that anything different than "check phones at the door" can provide the similar results.
Larry Grate, PREMIER System Integrators: To the individual it would be the convenience of not carrying two devices if the corporate policy forbids personal use. These types of devices are increasingly becoming necessary to troubleshoot and maintain ICS equipment, and many vendors are putting strategies together to leverage the prevalence of these devices. Anything you allow on your network that you don’t control is a potential threat. Having a policy for what you will allow on your network considering your threat environment is critical. Segmentation of your networks, including wireless networks, is critical to your overall security posture.
Ragnar Schierholz, ABB: Most people don’t have anti-virus on their mobile phones, and it is a possibility to target engineers of plants, getting them to download malicious files and click links from their mobile phones.
Targets can easily be found on websites such as LinkedIn. For this reason, it is a significant possibility that an engineer who has an infected phone could then give an attacker access to a control system if this phone is connected to the plant’s Wi-Fi system, or the user charges the phone on industrial devices using the USB port.
It is essential to educate employees on the possibility of this type of attack vector. USB port blockers can be used as a deterrent for connecting phones into industrial devices. The control to put in place is detection. Industrial devices should be monitored so that an alert is created when an industrial devices configuration has been changed.
Stefan Woronka, Siemens: Well, the answer is not easy as everyone depends on their personal phones. In the beginning it may make sense to show the impact of misbehavior such as charging the phone on a PC/HMI. By this, the level of awareness is raised. For more critical parts of the production a complete lockdown procedure may be required.
For more information on cybersecurity, visit “How processors can guard against cyberattacks, FE, October, 2018.