6 tips to secure your control room

Cybersecurity. It is a typical topic of discussion in organizations. For some only the highest level of security will do. Others think 'it should only go up to the point where security becomes noticeable for users'. To conclude Cybersecurity Awareness Month 2023, we want to give you 6 tips to secure your control room.

Check and update your firewall rules regularly. If something doesn’t work and passes through the firewall, someone checks it. But how often do you check if all the rules are still needed? When phasing out some equipment, does your team check if all the firewall changes that were needed when it was first installed are still needed?

Most companies are not ready for 802.1x or total Zero Trust Networking, but a good step in that path is locking down switch ports to known MAC addresses. Depending on how dynamic your control room is (do people use their own laptops?), you can follow the process control industry's standard of locking down a port to an individual MAC address. Furthermore, DHCP and some simple switch configurations can allow for automated reports of what device is connected where. This can feed into a SIEM (Security Information and Event Management) for audit and potential automated responses. 

Rights management is another area where reviewing things on a regular basis is important. Particularly for those companies that still have the traditional isolated network for their control room (the users have separate accounts on the control room solution from their day-to-day 'IT' accounts). This means that the standard automated process of onboarding, changing and offboarding accounts needs to be replicated manually. 

Where you can view and where you can edit/interact, can be a powerful tool both for security and efficiency. Allowing the ability to view a situation outside the control room is powerful for escalations or management decisions, and for limiting the number of people in the control room to those who really need to be there. The problem comes when someone who has edit permissions in the control room, logs in outside of the control room. Does your setup allow for context, like location? 

Service accounts still have a place in most solutions. And managed well, they can be kept secure. But too often, these are misused or misunderstood as generic user accounts. Service accounts should never be used when a user can change something. They should only be used for changes or editing when automated flows are implemented. Otherwise, service accounts should only ever have “view” permissions – and heavily limited view permissions at that. User traceability and accountability are important from a security perspective but also powerful for training and learning.

A whitepaper released by CISA raised the expectation of Security by Design and Security by Default. Security and Usability are often at loggerheads, and this is before you consider interoperability with legacy devices. Deciding what should be fully encrypted and locked down vs what risks can be accepted within a design, should always be an end-customer decision. This leads to the idea of a loosening guide rather than the traditional hardening guide. When selecting a product, note how the manufacturer talks about security and where they expect the effort. Have they done it or are they expecting you to do it.  

When designing Barco CTRL, we integrated security at the core of the system. Do you want to know more about the security of Barco CTRL? Then don't hesitate to contact us!