HALT! Who goes there? Industrial System Security
Password management gets more important as we access financial websites, corporate portals, and an ever-increasing number of cloud-based resources as part of our online activity. In addition to passwords, it is good to secure personal data such as Social Security numbers and other sensitive information that should be kept out of the wild from identity thieves.
I have been using a password manager for many years. It began with an open source product called Keepass. I chose this one because it was multi-platform (Windows, OSX, Linux, iOS and Android), and by using Dropbox it is fairly straightforward to maintain a vault shared between your phone and your computers. There are several additional security options including the ability to have a pass-file that you can place in a separate location or on a thumb drive if you want added protection. Most users just use a pass phrase to open the vault. Keepass is also free (you know, as in beer). Two years ago I migrated to an application called 1Password by AgileBits. This was a $50 license on sale but it added the ability to use touch ID on my phone and my iPad which I find much more convenient.
As an added touch ID benefit, the apple watch allows purchases at a growing number of retail locations without even using a password. If you are logged into your phone, and your watch hasn’t left your wrist, the assumption is that you are operating the watch.
In the industrial environment, the way we authenticate users is similarly getting more sophisticated and more integrated as we march forward. We are regularly needing to protect access to development environments, operator interfaces, and restricted work areas. The use of passwords coupled with Integrated Windows Authentication is a long-standing solution. Biometric options such as facial recognition and touch id are becoming more attainable as the operating systems that run our processes become more advanced with greater connectivity to our mobile interfaces. Just as my personal password manager is touch ID protected so can a company’s operator environments.
Planning a secure system includes physical, network, operating system, application, and device security. Rockwell has a paper describing their approach.
This means the challenge is much broader than just the IT department. If it is possible to defeat your security by having someone plug a thumb drive into an easily accessible controller, is it really secure?
It is always good to ask yourself…
“How important are my soft assets?”
“Are they secure at multiple levels?”
“How am I authenticating users that access them?”