If you have ever worked with an automated process control system, you may have encountere…

If you have ever worked with an automated process control system, you may have encountered a situation where the network seems to be isolated, and for some reason the reports end up in the corporate office. And not through a gateway or a controlled channel, but in the format: “Vasya transferred it to a flash drive after his shift.” Sometimes it may even be his personal, unregistered flash drive. 🤦‍♂️

This is not a joke. This is still a real problem in many critical facilities. And no, it’s not “that’s how they were taught.” This is the result of systemic inertia, when security is built not according to a threat model, but according to habit 😐

Why are flash drives still alive? Because many people still believe in the “air gap”. They think that if there is no cable, then there is no risk. Unfortunately, not everyone understands that it works a little differently. A simple example: an operator brought log files from an isolated network to the office one. No verification. Or even better: on the way, I stuck a flash drive into an infected laptop. All. You already have a backdoor where there shouldn't be one at all. 😐

The second reason is outdated HMI, SCADA and controllers without support for modern protocols and monitoring tools. Try setting up syslog on a 2009 device. Or antivirus on HMI with Windows XP Embedded 🙈

What to do about it?

1️⃣ Automate everything that can be automated. Any action in the chain is a potential error. Modern gateways can transfer files strictly according to a schedule, check them for viruses, verify them by hash and integrity, track the UUID of drives and require “coordination from both sides” before sending

2️⃣ Segment wisely. Isolation is not just about “physically cutting off the network.” It is necessary to create controlled points of interaction: gateways, proxies, filters, loggers. Traffic between segments should not only be limited, but also analyzed, documented and logged

3️⃣ Implement certified solutions. There should be no place for such experiments in the process control system. Computers with two network cards that "occasionally connect" are an improvisation, not an architecture. If you have a CII facility, you are required to use certified information technology. Yes, more expensive. But then you won’t have to explain how a Trojan from one network ended up on another

4️⃣ See dark spots. Monitoring should be not only in corporate settings. Production segments should also be visible. Even if they do not have a full-fledged SIEM agent, at least passive analysis of network traffic, at least event logging. And it often happens that a segment seems to exist, but what’s in it - “well, it seems to work, no one complained”

In the case of automated process control systems, the risks can be much higher, especially if we are talking about CII. And if you are still transferring data between segments manually, this is a signal. No worries. Signal that it's time e change. Use automation wherever possible, because it not only saves time, but also eliminates the human factor, which can create a huge number of errors at every step ⚠️

#information_security
#internet_things