2012 – fall Issue

Network Security Audit

Frequent news stories of control systems being compromised by worms and other viruses are prompting companies to become increasingly concerned about their own risk of network and computer attack. Even the most confident IT departments can use an outside perspective to evaluate their network.

Interstates Control Systems began work with a medium sized manufacturing facility that felt confident about their IT infrastructure and support team. The company's corporate office had requested that this facility be evaluated against their own internal compliance documents. They asked Interstates Control Systems to assist with their audit and to provide a neutral outside perspective about how well the facility was meeting requirements. Interstates reviewed the facility's policies, procedures, disaster recovery plans, personnel competency, and information security practices. The team identified gaps and outages, created action plans and drafted a schedule to resolve gaps in compliance. It is common for Interstates to find that site documentation is either very outdated, never followed, or both. Trouble is, the most masterfully written procedure documents will not help anyone if they are written for software that is three versions old. Policies that include industry best practices still result in an insecure facility when the policy is not followed and new employees are never educated on them. Updating documentation is a task frequently pushed off and is seldom missed until a critical component fails at 3:00 a.m.

Of greater concern is the disconnect between management's expectations for site personnel's ability to make quick repairs versus current reality at the site. When spare parts to make repairs are not available and the team is not skilled to make the needed repairs, it can result in extended downtimes. In the case of the company audit, Interstates also helped facilitate dialogue between the corporate office and the production floor during the presentation of the audit findings to management.

Companies are right to be concerned for risk of a computer virus or security breach in their systems. When Interstates performed inventory of the site's computers, they discovered that the systems were far behind (years) in the patching and updating of operating systems and applications. Systems either had specialized hardware that was incompatible with newer operating systems, old software in which the vendor was no longer in business, or worse, both. These are issues that cannot be solved in a week, a month, or sometimes within a single year. As a result of the audit, Interstates is helping the site develop solutions to replace antiquated designs that allow for greater control and system security.

Currently, the audited site referenced in this article is half way through a two-year process to train additional individuals, revamp their backup and disaster recovery process, and will soon begin the first phase of hardware replacements.

An audit serves as a point-in-time evaluation. The goal of any healthy system deployment is a sustainable suite of practices which follows a system from implementation to maintenance and eventually through to replacement where the cycle starts anew. The consultation that Interstates provides includes recommendations and actions that a site can take to update and create new policies, procedures, and practices which, if followed, will prevent the site from having the same issues crop up again in two or three years' time.

For more information on how we can assist your company with a network security audit, call 712-722-1663.