Industrial Cybersecurity / Asset Management System / Plant Security

14 keys to securing your CMMS data

David Berger asks "How long could you survive if your network went down?"

By David Berger

Top of mind for many senior executives and business owners is the security of information systems, including data managed by your CMMS. Whether due to mechanical or electrical breakdown, human error, or malicious acts such as hacking or attacks via computer viruses, the risk of a security breach is rising year over year. Although there is no such thing as a guaranteed fail-safe solution, you can minimize your losses through proper preparedness. Here, we’ll look at 14 ways in which to protect against security breaches.

1. Security policy management

Security experts tend to agree: Start with instituting clear policies, guidelines and procedures for securing company data. For example, data should be classified as to the level of sensitivity, from extremely sensitive data such as the location and vulnerabilities of infrastructure assets, to public data like standard PM procedures for facility assets. For each classification, there should be strict enforcement of how the data is to be managed, both inside and outside the organization.

2. Create a security-savvy culture

Most security breaches are caused by humans, not computers. Examples include breaches that result from failure to comply with IT policies and procedures or from a lack of training and those created with malicious intent. These can be minimized by creating a culture where security is a high priority. Initial training in physical security and cyber-security as well as ongoing refreshers should be offered to all employees, including senior management. Also helpful are internal and external auditors routinely reporting on security gaps. Tests should be conducted on a regular basis to heighten awareness. For example, send phishing emails to maintainers from fake vendors.

3. Backup protection

The most fundamental means of securing your data is to back it up. There are many storage devices and reusable media from which to choose, including removable or external hard drives, memory cards, disks, tape, and so on. To avoid the pain that most of us have experienced when a hard disk crashes or data is suddenly lost, make sure that you devise an effective backup model that allows you to reconstruct the data from several months ago. Also, make sure that all users are storing their data on the network and not just their hard drive, because it is far easier, cheaper, and more reliable to back it up centrally. This is also true for users with laptops, smartphones or remote cloud access. Storing data on the cloud is like storing data on someone else’s computer in that you give up control, so ensure that data is encrypted.

4. Redundancy

NASA, the military, and nuclear power plants are famous for spending big dollars on redundant systems. But in today’s fast-paced business environment where our dependency on computers is increasing steadily, reasonably-priced redundancy schemes are very much in demand using virtual machines or the cloud. This is probably true for your CMMS. How long could you survive if your network went down?

5. Authentication

To protect your CMMS and other software applications from unwanted access, the computer must first verify that you are who you say you are. Examples of authentication techniques are briefly described below. Note that greater security is achieved through a combination of methods (e.g., two-factor authentication).

Password: simplest; not very reliable as a standalone solution; must be changed often to avoid copying; users often forget their passwords

Token: anything from a simple metal disk to a sophisticated smart card, transponder or application on your smartphone, that identifies and authenticates a legitimate user

Digital signature: validates through third-party certification that the sender and receiver are legitimate

Biometric: uses a unique personal characteristic such as fingerprint, voice, palm print, retinal or iris scan, or face scan to authenticate user

6. Virus protection

It is hard to believe that thousands of people worldwide have created computer viruses—software whose sole purpose is malicious in nature. A virus is a software program that reproduces itself and is distributed via external storage devices, a network, or the internet. It can infect the boot sector of a hard drive, attack the partition table, or attach itself to any .exe or .com file. Every virus has a trigger, such as a specific date or the running of a certain program.

The best way to combat viruses is to scan software received from an external source, such as a memory stick given to you by a friend or a file downloaded from the internet. Virus detection and disinfection software is available for protecting your network, laptop, smartphone, and remote computer.

7. Audit trail

In general, there are three levels of sophistication for audit trails, either built into the CMMS, running as third-party software, or included with the operating system. The most basic is a summary of who has logged in and out of the CMMS and/or network. The next level logs all changes to the database, and the most sophisticated audit trail keeps a record of every keystroke for every user. The latter log occupies considerable storage space for a large number of users or transaction-intensive environments.

8. Error-checking

To prevent security breaches that occur because of human error, the CMMS and other applications should be written with error-checking capability. A simple example would be to block a user from entering erroneous data or performing a potentially inappropriate action such as deleting data.

9. Firewall

Any network or standalone device that provides access to the external world requires protection from unwanted entry. A firewall is a device that filters and checks all data flowing to or from another computer, network, or the internet. This is an expensive but necessary addition to your CMMS in order to allow safe access remotely or via the internet.

10. Encryption

One of the most secure methods of protecting your data is encryption. This involves encoding data using an algorithm that can vary in sophistication depending on the level of security required. A “key” to the algorithm is then required to decode the data. Encryption is especially critical to ensure data integrity and confidentiality on the internet if IoT and Industry 4.0 is to become a reality for plants.

11. Physical security

One of the simplest and most effective means of securing your hardware and software is to keep it locked. Network equipment should be locked in a room with carefully controlled access. Laptops should be anchored to a desk when in use and stored in a locked cabinet at the end of the day. Offices should be kept locked at all times and access controlled using security guards or an authentication system. Many companies routinely inspect facilities after-hours to ensure that no devices or confidential documents are left lying around. Employees can expect serious consequences if they breach their organization’s rules.

12. Think enterprise and beyond

Just as the CMMS is fully integrated with numerous other systems, devices and applications, so, too, must security measures span the enterprise, supply chain and beyond. Your security is only as good as its weakest link, whether that be interfaces with integrated hardware and software, connected assets on the internet of things (IoT), the cloud, vendor or customer access points, storage devices, social media, smartphone applications, or even printers. All of the security measures discussed above, such as data encryption, are relevant. Furthermore, ensure that you pick your business partners well. For example, has your CMMS vendor experienced any major security breaches?

13. Stay current

The IT world is always in a state of flux, which means you must keep abreast of any relevant changes. Update all software with the latest security patches on all devices, and make sure anyone with direct or remote access does so, too. Keep vigilant as to the latest security threats, as well as hardware/software tools and procedures that can mitigate potential risks.

14. Business recovery planning (BRP)

When preventive measures above fail, there must be a plan in place to recover from the loss. Business recovery planning is discussed in detail in my April column.