Protect Your Assets
Information gathering throughout the supply chain has gained greater importance since the events of September 11. Chances are, though, you’re not doing enough to protect the data and systems that are the lifeblood of that chain.
by Leslie Langnau, senior technical editor
Not everyone is convinced of the need to secure material handling data that move through various Internet channels. Even after the devastation and destruction so many suffered on September 11, 2001. Not only were valuable and talented people lost, many businesses lost much of their corporate data and control systems.
This event increased the visibility of supply chain management; however, a large group of material handling managers doesn’t see why hackers or cyberterrorists would want to know how many pieces were selected for shipment on any given day. And they’re right about that aspect of their data.
But, secure communications, networks and control systems are not just about sensitive or non-sensitive data. They are not just about cyber attacks from terrorists either. Internet worms and malicious destruction of property exact a serious supply chain cost: downtime. What will it cost your business if your electronic order entry, your electronic picking, electronic shipping and manifesting system or your electronic inventory control system go down for a minute? How about a few hours? What if they’re down for several days or weeks?
The cost in lost productivity and control repair from the damage done by the four major Internet worms this year alone has reached more than $10 billion. Now, add the billions of dollars in costs from the September 11 disaster and it should be clear that security cannot be an afterthought.
Unfortunately, it often is. Even our own government has problems meeting minimal security requirements. A recent report from the U.S. congressional Subcommittee on Government Efficiency, Financial Management and Intergovernment Relations flunked 16 federal agencies for not meeting basic security requirements.
Security can’t stop the type of property destruction that happened in Manhattan. But there are ways to protect your data and protect your operations from unexpected downtime.
Just in case
As many found out, security issues can have a direct bearing on your business. Thus, they are becoming more of a business problem and less of a technical one.
“September 11 was definitely a wake-up call,” says Brad Beale, director of marketing, Comtrol. “Companies are starting to look at developing creative recovery plans. Few had contingencies in place for the scenario of all planes ceasing to fly for a week’s time. Now, we’re seeing companies starting to create plans for such possibilities.”
“There’s an increased awareness of the need to take a look at systems and where companies are vulnerable,” agrees Amy Spear, marketing, RJS Security. “That’s been a trend evolving in the market, although much of that was due to all the viruses.”
A major difference this time is in the number of alternative scenarios managers should develop. Before September 11, many companies at least had a backup plan. But many of those plans suddenly became irrelevant when so many systems had to be shut down or put on hold for days. Thus, companies now need to be creative and develop a third level of contingency plans.
Just in time
The best time to install or improve system security is before you need it. “It can cost you a lot more time and money to retroactively try to fit security into your system,” notes Spear. “Don’t do it in a rush.”
Consultants estimate that if you include security at the start of implementing your network and communication systems, you can save from 60 to 100 times the cost of adding security after a breech.
“Protection of electronic assets does not happen overnight,” says Andreas Somogyi, industrial networks solutions practice leader, Rockwell Automation. “It takes research and putting methodologies and policies in place.”
But there’s another reason to make the effort to secure your systems. Someone may not want to destroy or alter your data. Instead, they may want to use your systems as a launch point to send viruses or worms to others to access or destroy their data. These others can include your customers and suppliers.
“The love-bug from earlier this year,” says Spear, “came about because someone gained unauthorized access to an Internet service provider, and they were able to spread the worm.”
Just imagine the potential lawsuits if your business partners’ data encounter problems traceable to your systems.
“If you do it right, if you put a good policy in place for security, you’ll never know it exists,” adds Spear. “Security should be silent.”
“Before companies can make the decision about what’s needed for security; however, they need to know and understand what they are trying to protect,” adds Somogyi. “A firewall here and there does not solve the security problem. Companies need to define what assets they must protect.”
Firewalls are a first line of defense. You need other tools as well. Security specialists recommend adding encryption and authorization checking to help secure your systems. “Encryption is key,” says Beale. “Unfortunately, companies are not doing enough of it.”
One of the least effective steps managers can take is to use only passwords. They are one of the weakest security precautions. There are standard network security audit tools that can crack hundreds of typical passwords in minutes. Tens of thousands of passwords in a large organization will take little more than a day to crack. These tools are readily available over the Internet and you can bet that hackers know how to find them and use them.
“If all you have is a simple password authentication procedure, it can open the entire facility to security problems,” says Beale. “One password and you’re into everything. We’ve even seen this with the U.S. government.
“And the reams of sensitive information that go through company e-mails is staggering,” Beale continues. “Nobody encrypts his e-mail.” This deficiency creates another vulnerable spot.
Don’t forget about laptops. Thousands of laptops are stolen every year. Companies don’t do much about this problem because managers hope the thief doesn’t really understand what they have. But that’s naïve. While few companies have been significantly damaged from stolen laptops, just be sure there are no passwords or other types of access data stored on the device.
Many software companies now offer intrusion detection programs. These monitor any communications into and out of a company or system, and will alert you to unauthorized access. They are useful for attempted hacking as well as worm and virus detection.
Other help includes antivirus software and virtual private networks. Authentication systems are necessary, too. You can expect prices to start at around $100,000.
Backup systems and remote locations are another aspect to consider. Many companies provide such services in a range of prices. A few of the criteria are just how little downtime do you want and how much data backup storage do you need.
Wireless and security
As material handlers investigate wireless solutions, it’s important to consider whether such a system will link to corporate systems. If it will, be careful. Most consultants will tell you that connecting wireless to corporate systems is like having a back door into those systems.
“Actually, wireless is worse than a backdoor into a network,” says Beale. “It’s more like operating as if there were no doors and no walls.”
“In a wireless environment,” adds Spear, “there are several things people need to be aware of. One is making sure the data being transmitted are protected; that the data are protected from anyone able to sniff them off of a network or through the airwaves. Protection should cover data in transit as well as data at rest. Encryption technology is the recommended practice for protecting data in transit.” For data at rest, encryption and authentication are needed.
Virtual private networks may be seen as a way to secure data and systems, but, remember, most of them connect to the Internet, itself a somewhat insecure system. They are better than using a standard phone line for secure data transmission, though. But, notes Somogy, encryption and authentication are needed with these networks too.
New standards are emerging to help improve security of VPNs. A proposal known as Just Fast Keying (JFK) offers a simpler way to manage encryption keys used with VPNs. The Pre-IKE Credential (PIC) would make it easier for companies to adopt digital certificates to secure user access. And the Advanced Encryption Standard (AES) is a new encryption algorithm for VPNs.
And, lastly, don’t forget physical security. “There are numerous examples of people able to just walk into a building and go right to the controlling PC,” notes Beale. “From there, they can do just about anything, transmit a virus, hack into your data, whatever.”
After steps have been taken to protect building access, you can also turn to “black box” PCs. Remove the keyboard or access screen. Arrange it so the only step an intruder can take is to unplug the PC, which, if done right, will send an alarm and you’ll know there’s been unauthorized access. But that’s all the damage the intruder will be able to do.
Security is all about managing risk. How much can your business handle? MHM