Nowadays, it is not at all strange to use a mobile phone or a tablet as a work tool. Although this provides employees with great mobility and comfort, it is necessary to distinguish between work tools and the personal devices that we take to work so that we can be in communication with the world at all times.
The concept of bringing your own device to work poses quite a few challenges for companies, which must now evolve with technology and employee needs.
This article addresses the problems originating from BYOD (Bring Your Own Device), as well as possible solutions that can be applied to organisations to prevent such problems from arising within industrial control systems.
The problems associated with the use of mobile devices that most commonly arise in the majority of companies can be broken down into three points:
- Device variety: Environments which do not have a large variety of mobile devices tend to entail less complexity. When we say complexity, in this case, we are referring to the exposure level we are subjected to in the face of human error.
- Data loss: There are multiple apps compatible with different mobile operating systems which are capable of sending information to third parties. Personal mobile devices tend to be the most likely to get infected due to the fact that controlling installed apps on these devices depends on each user.
- External access: A mobile device can serve as an access point. This would allow an attacker to create a false access point that could enable access to the different services available within the network. This operation depends on the network the attacker is in, as well as the devices which have access to said false access point. A best practice in these cases is the use of segmented networks.
A large number of devices exist in the case of industrial environments, meaning that the problem concerning device variety already exists. If we add up the devices an organisation needs to properly carry out its tasks plus each employee’s personal mobile device, we are increasing the exposure level of something that we are not in control of. In terms of devices belonging to the organisation, it is common practice to keep a device inventory. This is not, however, common practice with employees’ personal devices.
Data loss in industrial environments can be the root of huge problems, spanning from financial losses or damage to company image, to production standstills resulting from technical problems. Production standstills can be the most problematic especially if not safely carried out.
This problem does not only exclusively affect BYOD. When dealing with industrial environments, a possible unauthorised access to a critical network could turn into a major crisis.
As mentioned earlier, these are the majority of the threats that we are faced with, not only in industrial control systems but also in companies involved in other sectors.
Even though problems exist, we have the option of preventing them using some of the following guidelines:
- Multi-platform support: It is important to have technical support for the greatest number of platforms that employees need to carry out their work. This support can ensure security as well as guarantee high productivity due to the fact that knowing which technologies our employees most commonly use allows us to stay informed about them.
- Securing mail services: Use an additional password for accessing work documents from a mobile device. Or, apply encryption to the device so that company data is safe both in the event of an unauthorised attempt to access the device or a theft.
- Access control: Using personal identity cards called PIV (Personal Identity Verification) to grant access not only to software but also to hardware.
- Control of external devices: The majority of mobile phone operating systems have capacities that make device tracking possible. Some examples are the Android Device Manager and the iOS Find My iPhone. The use of this feature would be perfect for controlling company-owned devices and others with network access if these devices were the only ones connected. But there are also devices which are not controlled…
- Eliminating or blocking apps with geolocation: A best practice is blocking the GPS feature, or blocking apps that attempt to activate the GPS. This is even more important in the case of employees who work in critical infrastructures so as to prevent critical systems from being located.
- Raising employee awareness: Conducting small training sessions within the company is a way of making users aware of the dangers involved in installing apps from third parties, or browsing certain web pages on their mobile devices prior to connecting to a company network with their personal device.
- Department for managing devices and outsourcing services: If an organisation wishes to include the BYOD concept then it is necessary that they have enough employees working in the department responsible for device management and tracking. If there is not an appropriate number of employees to cover these tasks in the department, services will have to be outsourced (IT outsourcing services or the cloud).
- Knowing when to say no: Personal devices are not suitable in all environments. In the case of industrial control systems, access must be restricted as a result of network criticality.
In industrial control systems, vendors primarily solve this problem by providing devices with software that is associated with the company.
In both control systems and IT environments data in emails can contain sensitive company information. For this reason, it is necessary to somehow protect this information by preventing data leaks and data loss.
Access to certain areas within a control system may be restricted to the majority of company employees. This can be the case when dealing with a critical zone where important tasks are carried out, such as those which maintain proper system functioning or where important information is stored. By blocking access we can control possible data leaks.
Using a device inventory in addition to using a specific application for each device utilised in control systems would allow for control of company devices when they connect to the internal network.
This task can prove to be quite complicated in industrial settings given the possible size of the plant. Depending on system characteristics, this area may cover several kilometres.
This practice is very important if we want to be able to follow the above guidelines. If a company’s employees understand the importance of cybersecurity within the environment where they work, they will be aware of the implications that a crisis could have on the system.
As we have previously mentioned, device control in industrial control systems is a difficult task given the wide array of situations that can present themselves and which must be managed. For this reason, a team of professionals who can manage and control all devices, or at least the vast majority of them, is necessary within an organisation whether it be an IT or an OT environment.
- Update and patch management: Managing patches and updates on apps installed on employee devices can be a complicated task. Thus, prior to establishing a connection to any part of the company, it is necessary to update the device to make sure security updates are applied.
In the patch policy it is crucial that the company includes updating the mobile devices which access the network. Industrial control systems work with different environments from those that we could find in the IT sector. However, it is possible for these sectors to share operating system and software vulnerabilities on mobile devices. These vulnerabilities could then go on to affect the operating systems themselves in addition to control system device applications.
After reviewing the problems that arise from taking your own device to work as well as some best practices that would allow for the BYOD concept in an organisation, we can conclude by saying that this practice should only be applied to low-criticality networks. These include some IT networks where employees share information over the network; however, in highly critical networks as is the case with industrial control systems, BYOD use it not recommended.