Any system, no matter how well designed and implemented, ultimately relies on people. Large and complex systems are susceptible
to mistakes made by inexperienced or untrained personnel, as well as the activities of malicious insider and external threats.
Even after implementing appropriate technical safeguards in the framework, system owners and users need to ensure security
by adopting these measures:
- Policies that are clear and actionable set healthy expectations and lay the foundation for detailed procedures. Rules of behavior
need to be clearly understood and enforced with appropriate controls and sanctions for non-compliance.
- Procedures must define secure processes and system configuration tasks that follow standards, are repeatable, and lend themselves
to training new employees quickly.
Procedures must cover the security features built into the Niagara framework, including the importance of using strong passwords
and changing them frequently; securing communications using CA-signed certificates (avoiding the use of the default self-signed
certificates that appear when a trust store cannot authenticate a server and cannot authenticate client-server relationships);
assigning categories to devices; and limiting access based on clearly-defined user roles.
- Security-specific training, awareness of threats, and knowledge of available protection measures must be included in company-wide
training programs. Industrial control system operators need to be aware of the signs of intrusion, what they should do immediately
to halt the damage, and how to ensure the success of the investigation that will follow.
Management needs to be aware of the costs and benefits of the recommended protection measures so they can make informed decisions.