Design News is part of the Informa Markets Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Critical Security Controls Could Thwart 70% of Cyber Attacks

Most cyber attacks could be avoided by adopting a list of Critical Security Controls that were created by the Center for Internet Security. That’s the message from Steve Mustard of the Automation Federation.

Most cyber attacks could be avoided by adopting a list of Critical Security Controls that were created by the Center for Internet Security. That’s the message from Steve Mustard at his session at Design and Manufacturing Minneapolis last week. Mustard is a cyber security expert with the Automation Federation. His talk featured the newest version of the Critical Security Controls which was released by the Center for Internet Security in August.

While Mustard noted there is no perfect solution for avoiding attacks, he insisted that using the practices on the list will knock out most intrusions. “The thing about security, like safety, is you can’t make it 100%, and you have to keep improving it,” he said. “Yet the majority of cyber attacks -- 70% -- could be prevented by using the controls on the list.”

Center for Internet Security’s Critical Security Controls:

  • Inventory of Authorized and Unauthorized Devices
  • Inventory of Authorized and Unauthorized Software
  • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Continuous Vulnerability Assessment and Remediation
  • Controlled Use of Administrative Privileges
  • Maintenance, Monitoring, and Analysis of Audit Logs
  • Email and Web Browser Protections 27
  • Malware Defenses
  • Limitation and Control of Network Ports, Protocols, and Services
  • Data Recovery Capability
  • Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • Boundary Defense
  • Data Protection
  • Controlled Access Based on the Need to Know
  • Wireless Access Control
  • Account Monitoring and Control
  • Security Skills Assessment and Appropriate Training to Fill Gaps
  • Application Software Security
  • Incident Response and Management
  • Penetration Tests and Red Team Exercises

Part of creating effective cyber protection is getting a good idea what needs to be protected and where the entry points might be. “You have to establish a good monitoring regime. The key thing is you have to understand what equipment you have and how it’s connected,” said Mustard. “If you don’t understand that, you’re going to struggle in protecting your assets.”

Employees Can Make a Difference with Security

Cybersecurity isn’t just technology and it isn’t just the IT department. Everyone within the plant needs to be trained to spot intrusions. “One of the things that can really help is the people in the organization. They can tell if one of their machines begins to operate in a funny way, or whether there are more pop-ups than usual,” said Mustard. “People can start to draw conclusions. When employees are aware and know what they can do to prevent an attack, the more likely you can avoid an attack in the first place.”

While employees can help detect intrusions, they can also inadvertently invite intrusions. “People are a good first line of defense, but they are also the weak link in the chain, since they might open an attachment that lets the attack into the system,” said Mustard. “Even the best firewall on the perimeter isn’t sufficient if an employee puts an unsecured USB stick into a computer on the system.”

One overlooked area of vulnerability is the mobile devices that employees bring to work. Mobile devices can turn out to be a problem. “Mobile devices are a permanent way people are doing business now. Bringing your own device to work is common at most companies. Most people prefer to have own devices. If it’s a personal device, they will probably protect it in their own way, which won’t be as secure as you’d like,” said Mustard. “Part of your protection is to make your people aware that their devices may be used as a way into the system.”

Rob Spiegel has covered automation and control for 15 years, 12 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine Chile Pepper.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.