Hello. Last week we were in Colombia at a cyber security conference and we had some very interesting discussions, one of which spawned a number of subjects for me that I had promised to write about here when I next had the chance. And one of those subjects was the debate about who is responsible for security controls on systems—especially for new systems.
The discussion was between myself (a consultant) and an end user who has to manage all the systems on his plant floor. His problem is that whenever he has an upgrade or application added to his environment, the systems being installed are not locked down or secure. I agree that this is a problem and is not acceptable. However, his assertion is that it is up to the supplying party to lock the systems down and that he should simply be delivered a secure system. This is where we started to disagree. While I agree in principle that a supplier (like we often are) needs to at least stay in line with existing security standards, and if possible improve them (within our scope at least), I disagree that the “responsibility” for security standards on that system is up to me to establish. My premise is that I can lock down a system so far that it may not function in your environment with other systems you may have. Additionally, my security expectations around password refresh, complexity, shares, drives, etc may actually be more stringent than your corporate expectations or other systems you have installed. Management then of the various levels of security controls on different systems becomes a burden to the facility.
What I think has to happen is that all operational facilities should have a minimum security profile which all new and existing systems have to live up to—a profile that the facility is able to support and manage over time. That standard becomes an absolute requirement for potential suppliers to live up to and the expectation needs to be written right into the procurement language and project contracts. Many organizations already do this and I support it fully.
Now the one point I think my operational friend had that I have not yet addressed is the fact that he had neither the time or necessarily the skill set to establish a security standard—so I gave him one. Problem solved!
In summary, I think it is a combined effort for secure systems on the plant floor. Operators need to establish the minimum security profile they are willing to install and support and suppliers need to be able and willing to work to that standard. In other words, we are ALL responsible for security baselines. What do you think?