According to the tracking and research of Pricewaterhousecoopers China, we found that enterprises lack effective management and technical measures to ensure the safety of industrial control systems, and there are many security risks. Such as:
Security vulnerabilities in operating systems;
Anti-virus and malware control vulnerabilities;
Lack of control over the use of external devices such as U disk and CD;
When the equipment is being repaired, the laptop may be accessed at will.
The network boundary protection of industrial control system is not sufficient;
Weak access and contact control (including remote access, management and maintenance);
Safety management vulnerability of industrial control software life cycle;
Lack of security incident emergency response mechanism.
How companies respond
In the face of the above security threats to the industrial control system, we suggest that enterprises identify the gaps in the management and technology of the enterprise through risk assessment and gap analysis, and improve the overall security of the enterprise industrial control system by implementing relevant rectification measures to resist internal and external security threats.
As a first priority, we recommend that business management start thinking about the following questions:
1. What are the safety risks to the production process – have all industrial control system-related assets been identified? Have assets been prioritized and the potential consequences of damage made clear? Can an organization maintain production and critical business processes after an information security incident?
2. Has the safety management team and person in charge of the industrial control system been established?
3. Are employees fully aware of the safety of the industrial control system?
4. Has the safety management system and process of the industrial control system been established?
5. Does the maintenance and security of the industrial control system depend on external third-party support? Is there an effective third-party management mechanism in place?
6. Whether the network of the industrial control system is connected to the enterprise network/Internet, and whether effective measures have been established to protect its security in the network state?
7. Are effective security measures implemented, such as anti-virus, anti-malware, peripheral control, etc.?
8. Does the network of industrial control system support remote access? Can remote access be protected and monitored?
9. Has the enterprise established the safety alarm mechanism and emergency plan of the industrial control system?
10. Has the enterprise chosen appropriate standards and established a complete industrial control system safety management system?
In addition, the United States, the European Union and China have successively issued safety standards and recommendations for industrial control systems (see Table 1 for details), which can be referred to by enterprises.