We at Rumsey are excited about our new relationship with Tripwire. Why is that you may ask? Because it has the ability to bring you the best practice of network configuration and compliance management, something that has been a key aspect of cyber security for years in traditional corporate networks but a large gap within plant networks. We think this is a game changer for security in manufacturing – increasing visibility, making security monitoring easy and providing built-in templates for a fast start.
So, what is Tripwire and how can it help you?
Industrial network and control security requires an assessment of existing assets and their configurations to determine weaknesses and gaps, a practice common in corporate environments but previously inaccessible to the plant environment and support teams. Tripwire Configuration & Compliance Management (Tripwire CCM for Industrial Automation) delivers this in a “no-touch” or “low-touch” manner for Allen-Bradley control systems, firewalls, switches, databases, and application servers – such as your HMI/SCADA and Data Historians. Tripwire CCM can accelerate your ability to do that assessment, know where you stand in terms of security in the plant, and has best practices built in so you don’t have to be a cybersecurity expert. Sounds good right? If so, you may be wondering – why not use one of the existing solutions already out there?
What Makes this Breakthrough?
One Good Question, Two Good Reasons.
Unfortunately, enterprise solutions will not go past the standard IT type device, let alone understand what a PLC is, or be able to alert your organization if there are any current security vulnerabilities for it. Nor will it understand what a secure profile might be for a plant floor server, switch, etc. since the standards by which these are based are immensely different.
Let’s Look at #1. How does Tripwire CCM address critical “plant assets”?
This is why we are excited, it does in a few ways:
If your critical plant servers, such as your FactoryTalk Directory, FT View Server, FT Batch Servers, FT Historian Servers, etc. are not configured to match the secure template, you can be alerted that an asset has failed the audit and provided a remediation path. Also, if a setting on a server changes that bumps it out of conformance, you can be alerted. This ensures all of your plant servers are given the same care as the enterprise ones; that they are consistently, continuously secure, but without implementing potentially harmful enterprise policy templates.
When was the last time you or your plant engineers collected every PLC Firmware Revision and did a comparison against known vulnerabilities? Yes, I know you are thinking it, that would be nearly impossible to manage. Correct. Even if you did it once, how could it ever be sustainable to do that daily, weekly or even monthly? It isn’t.
BUT, checking for security alerts and vulnerabilities is a top priority in a security program and standard practice. In fact, the #1 item in the Top 5 CIS Critical Security Controls is “inventory of authorized and unauthorized devices” followed by #2, “Inventory of authorized and unauthorized software”.
All major corporations use some type of management and vulnerability monitoring to check server or end devices for required updates throughout their enterprise IT assets. Did Service Pack 2 get pushed to your laptop last month? Didn’t get affected by Wannacry or Petya? That’s because your device was recognized as vulnerable to a security alert that came out by your enterprise conformance and configuration monitoring solution. Your IT group was alerted and they determined and implemented the appropriate remediation.
So how do we get the same level of visibility implemented for our critical plant assets, like PLCs, without bringing down the plant network? The Outlook exchange server may be the heart of our company but the PLCs are the heart of our plant. See the upcoming “Part 2” for more on low-touch and no-touch solutions.