From a cybersecurity viewpoint, electronic media includes any mechanism used to transfer electronic information either into or out of devices connected to a company’s network. Devices connected to a company’s network include computers and servers, mass storage devices, production equipment, printers, copiers, etc. The types of mechanisms defined as electronic media include removable drives, diskettes, flash drives, CDs, DVDs, maintenance tools, diagnostic and test equipment, service and maintenance computers, and any other similar device. These devices are particularly problematic from a cybersecurity perspective since each is an interface to a company’s network, where security threats can be introduced.
An advanced cybersecurity plan should address the use and control of electronic media in both the IT network (general business network) and the OT network (manufacturing network). These two network environments share some security concerns common to both environments. Each also has its own unique set of security concerns based on the types of equipment connected to that portion of the company’s network. The challenges are particularly unique for the OT network due to the wide variety of equipment attached to the network – unique in the type of technology deployed, the age of the equipment, and the tools used to support that equipment.
In the IT environment, most equipment tends to be relatively new and can support a variety of security tools. Ideally, security tools are implemented on every computing device that will scan any electronic media immediately upon it being connected to the device – before any software or files are transferred. This goes a step beyond the functions typically provided by the more popular virus protection software tools. If more advanced security tools are not deployed, then the next best alternative is to prohibit the use of all electronic media devices. Since this may not be practical, there are a couple of standard practices to use electronic media devices more safely. One approach is to use specific stations where threat scanning software can be installed. All electronic information transfer to network devices must occur through these stations. Another alternative is to have media scanning stations that are not connected to the company’s network. All electronic media must pass through these scanning stations before they can be used with any device connected to the company network. This approach requires additional practices and procedures that assure the electronic media is properly handled – stored in a secure location, scanned before use, assigned to a specific user for a specific use, tracked while in use, and then re-scanned upon return to a secure location.
One type of electronic media that is often overlooked by companies is support and diagnostic tools used by service and support personnel – particularly those from outside the company. Any device, including computers that are connected to equipment that this also connected to the company network, represents the same security risk as any other electronic media device. These devices should adhere to the same security practices and procedures as all other devices.
In the OT environment, the issues related to managing electronic media and the risks associated with electronic media are a bit more complex. Much of the complexity comes from a variety of factors:
A majority of the devices connected to the IT network do not support PC-like functions where security software can be installed.
Many of the systems that do support PC-like functionality do not support adding security software.
Equipment can span multiple generations of computer/control system technology – each of which requires different types of electronic media to support those systems.
The maintenance and support tools needed to service manufacturing equipment can vary as much as the equipment itself.
A common practice in many manufacturing operations is to disable as many of the interfaces available on equipment where electronic media may be connected. This isn’t always practical, so an alternative approach is to provide security covers over the connection points to limit access to authorized personnel. Many of the same practices used in the IT network for scanning electronic media before use and controlling/tracking electronic media can be applied to the OT environment. The challenge is that a much broader set of tools are needed to provide security scanning of the different types of electronic media and the wide range of generations of technology found on the manufacturing shop floor. Some of these technologies include 3.5-inch floppy drives, 5.25-inch floppy drives, DOS systems, non-PC operating systems, SRAM, FROM, etc.
One area where many manufacturers can make a major improvement is in the identification and management of the various tools (hardware and software) used to support, maintain, and test production equipment. Maintenance departments should keep an approved and vetted set of tools and equipment. Where possible, these tools should be scanned for viruses and malware between every use. They also need to be tracked and monitored in a similar manner as electronic media in the IT environment.
Applying the same security practices and procedures to equipment brought into a manufacturing facility by outside service and support personnel is even more important in the OT environment than in the IT environment – simply because the equipment used is exposed to a wider variety of environments where that equipment was used at other facilities. This is an area where most manufacturers turn a blind eye. Where possible, the use of outside tools should be banned – favoring the use of tools that are controlled and vetted by the company’s maintenance department.
In many cases, implementing the ideal security procedures on the shop floor is not realistic or can represent major impacts on resources and production schedules. Many manufacturers make a risk assessment to establish a middle ground between very tight cybersecurity practices and successfully operating their facility. Generally, the concept is to use security tools and networking technologies to isolate individual or small groups of equipment from the balance of the OT network. The thinking is that they are willing to trade off the risk of a portion of their production equipment being impacted by a security threat (usually a virus, malware, or ransomware) while still effectively protecting the balance of their infrastructure.
Access control is a complex subject. A company must make a series of risk/reward decisions relative to the implementation of security procedures relative to electronic media. Implementations will be unique to every company’s specific environment and risk tolerance. The key is to develop a plan that is documented, implemented, re-enforced to personnel, and monitored for adherence.
For more details on concepts addressing security controls for electronic media, you may want to reference Section 3.8 Electronic Media of NIST standard SP 800-171.
For more on this topic, we invite you to explore the Building an Advanced Cybersecurity Plan article series.
Part 1: Engagement and Reinforcement
Part 2: Interaction Mapping
Part 3: Access Control
Part 4: Electronic Media Protection