Cybersecurity Measures for Electrical Maintenance Professionals
Cyber attacks have been a thing for a long time now. Many facilities have taken measures against them, such as requiring two-step verification and more complicated passwords than “admin.” Those that have hired a security consultant and followed the recommendations are reasonably safe from cyber attacks compared to those that have taken a less rigorous approach.
But even if a facility goes full bore in cyber attack prevention at the software and server level, it may be vulnerable to many other types of security breaches. Let’s look at six typical mistakes that employees can make with the result being a security breach.
- Piggy-backing door keys. This seems like a real time-saver, so people often see nothing wrong with opening the door for another person or letting another person go through with them despite not using their own key. A physical barrier such as a keyed door is a great defense. Note that a “key” can be a plastic card or it can be biometric.
- Bypassing or defeating door interlocks. These can be so pesky, and since only maintenance people work in those cabinets why bother keeping the door interlocks? Ask yourself why those interlocks are there in the first place. Answer: Maintenance people would otherwise not be the only people with access to the cabinet. Computers are often locked in such cabinets to prevent physical access to their USB ports, through which malware can be installed or sensitive information downloaded.
- Sharing security credentials. Think of how lockout/tagout requires individually assigned locks. That same concept must apply to security credentials, they must be uniquely assigned to individuals. Yes, there can be a “master key” (same as in lockout/tagout) but it should be unknown to and inaccessible to everyone except the designated master key holder(s).
- Giving out security credentials. A contractor says he needs access but hasn’t been cleared yet or there is some other issue. So you do him a favor and let him use your credentials. That’s like giving another person a key (or combination) to your lockout/tagout locks.
- Falling for social engineering scams. These come in many varieties, but the typical aim is to get one part of a security credential. Many people think that an anonymous call allegedly from the IT department to “check” their password by asking them for it poses no threat because it’s only half of the username/password protection. However, user names can easily be mined from personnel directories. Don’t give out any information to anyone who contacts you. If you first make the contact, ensure that you are contacting someone legitimate.
- Leaving your tablet or workstation unattended if you are logged in. When performing maintenance, things arise like needing to go to the shop for something you didn’t know you’d need. You hate to log out and lose where you were. But if you can’t take your tablet or other device with you, then log out. If you must leave a device unattended out in the field, it’s best to lock it up so that someone can’t insert a thumbdrive with malware, turn the machine on, and infect it. Or they may simply steal it, and then leisurely take from it whatever information they want.
A qualified security consultant can identify many more such mistakes. If your facility hasn’t had a pro look for practices that can lead to security breaches, that’s an oversight that needs to be addressed. And everyone needs to be trained to change their behavior to align with the necessary security practices. Generally, these are pretty simple.