Cybersecurity policies that threaten productivity

There is a cartoon that shows an army general telling a salesman that he is busy fighting a war and has no time to see him. The gag is that his troops are seen fighting with rifles and bayonets while the salesman is offering machine guns.

Putting aside the sad undertone, I recently came across a modern parallel when asked to resolve an accumulation of performance issues with a large industrial automation LAN. The network diagram showed that the plant network was interconnected without the zone segregation I’d liked to have seen, and it was stated site policy, in all-caps in case I missed it, that internet connection was “ABSOLUTELY NOT PERMITTED UNDER ANY CIRCUMSTANCES”.

This paradox - a fear of internet-borne nasties infecting a network that by (lack of) design is prone to contagion in the event that something actually occurred - is not uncommon. It deserves discussion in the context of the prosperity of Australian manufacturing, and whether the policy ‘generals’ are keeping up to date.

The ‘No Internet’ or ‘Air Gap’ defence is widely discredited - a 2011 study by RISI (The Repository of Security Incidents) shows that 80% of network security events were unintentional - the result of errors, failures or malware introduced inadvertently, mostly through memory sticks. Direct intentional attacks by hackers account for less than 10%. The enemy is not coming through the front door, so a perimeter defence strategy is largely ineffective.

Further, restrictive policies lead employees to develop workarounds that can have undesired consequences. We saw this with safety interlocks until products like coded-magnet switches were developed, and we see it now with rogue wireless access points and broadband modems (now performed discretely by a smartphone) enabling policies to be bypassed. Policies alone - the ‘publish and pray’ approach - are not the answer.

Embrace technology for prosperity

‘Defence in depth’ is a multilayer strategy that for both the military and networks creates a labyrinthine path that stretches the opponent, leading them to give up for easier pickings, contains them or at least provides warning as soon as an attack (or infection) has been detected. It is demonstrably more successful to put in place effective defences against the highly inevitable occurrence than to simply issue a policy.

Networks, properly designed for security and fully exploited, can add value to a business. This can take the form of secure remote access so the right person can provide support without the delays of travel, using the high bandwidth for video monitoring, publishing real-time data to head office or getting an urgent patch installed quickly. The confluence of LAN, internet, mobile telephony and the cloud, together with protections like zone-based firewalls with deep packet inspection and cloud-based authentication servers have provided the confidence to enable not cripple. The generals, however, need to be brave - they have to eschew their conservative fixations, to become informed of the possibilities and embrace them.

The survival of a battle-weary Australian manufacturing sector requires a liberal approach - exploiting the full range of technology enablers to innovate, increase uptime and reduce costs, while employing best practice in design. Few organisations have the skills in-house to address these life-cycle issues. They need to be receptive when the experts knock on the door.

*Mark Elrick, Marketing Manager at Integrated Automation, is an electrical engineer with experience in the manufacturing, infrastructure, OEM, distribution and systems integration sectors. He currently consults in the area of industrial automation and networks.