Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

All Posts

7 Practices to Help You Become Security Conscious

Editor's Note: As we wind down Cybersecurity Awareness Month, ISAGCA continues to provide a collaborative forum to advance cybersecurity awareness, education, readiness, and knowledge sharing. Find these following 7 best practices to keep in mind to help you and your team add to your cybersecurity toolbelt.

What is Secure Practice?

“Security” is a creature of habit who believes in homeostasis. Security likes things to stay the same. Any changes that can bring chaos and chaos is bad for security. However, as an individual, we can help to control the security of our environment by following good security practices.

Security of data doesn’t happen by accident. In any organization, it comes from the combined efforts of several people within the organization working together to discover and address security vulnerabilities.

Real security choices depend on two things: The value of what you’re protecting, and the perceived risk. The less control you have on security, the more venerable your environment.

Mark yourself against these seven practices and see how much you score.

1. Do you lock your mobile phones, tablets, or laptops with a passcode/password to help keep the data safe?

By locking your phone and tablets, you are committing yourself to unlocking it nearly every time you want to make a call or send a text. The most significant part of this equation is in understanding what kind of data you have on your phone or tablets. If the most important thing on your phone is the phone number of your spouse or your Candy Crush high score, locking it is probably not such a big deal.

However, if you are like most people, your phone also includes Facebook, Instagram, and Snapchat auto-login applications, possibly online banking passwords (which you should not save on your phone), personal or work emails (including confidential and non-public data). Thus, your phone is not a just a phone anymore, it’s a place where data lives.

Now, investigate the type of data you have on your laptop. Is it secure? In your organization, you should require having a secure password for laptops and secure passcodes for phones. This practice should apply for personal laptops and phones as well.

Always lock your laptops. This way, you are protecting your data while you are away. A good habit to develop is to lock your computer manually every time you walk away: The shortcut for this is the Windows Key + L on a Windows PC.

Make sure your phones and tablets are locked, and always use an auto-lock feature on your mobile devices. Enable two-step or two-factor authentication for your online accounts (including emails and social networking accounts).

2. When was the last time you changed your password or passcode?

I will give you an example which shows that changing your password is important, which I am sure many are familiar with.

A customer was walking with a client and was about to enter a secure server room. Here, the client was proudly bragging about how they were the only two individuals in the company that had the door combination. The customer glanced at the keypad at an angle, and could see that the keys for numbers 8, 4, and 7 were dulled. On his way back, the customer arrived at the same door and keyed-in the correct combination, and he opened the data center door for himself. The firm had kept the door combination the same for years afterwards.

While I am not suggesting changing your passcodes/passwords every week, if it has been the same for quite some time, it’s time to change them.

3. Are your passwords or passcode strong?

If your password is “12345678,” “abcdefg,” “password,” or “qwerty,” then you need a new password right away. While, theoretically, a bad password provides some security, what it probably provides most is a false sense of security. A password such as “12345678” or “qwerty” really isn’t going to protect you from anything and will make your device more venerable.

Always make sure to use a unique password for each of your important accounts. Use a mix of letters, numbers, and symbols in your passwords, never use any personal information or common words as a password, and make sure to save your passwords in a safe and secure manner.

For phone passcodes, the most popular phone passcodes are “1111”, “0000” or “1234.” If you need a passcode, you might try starting with some random numbers and not making it a continuous pattern (something like “9258”). Try to avoid any memorable dates like your birth date and month combination (“0805” or “0508”) or birth year (“1972”).

4. When was the last time your computer or phone was backed up?

For both personal and professional devices, when was the last time you made sure all your files were backed up? If your answer is something like “I don’t have any plan in place,” then I would suggest you should have one now.

Most of the time you may hear, “My home computer crashed, and it damaged my hard drive.” This seems like a small issue that one would not have to worry about, as we can reinstall applications and software on the computer again. You may lose photos from the previous 2-3 years. Maybe, if lucky, we might be able to use a data recovery software and restore almost everything we have lost, and this will only be a slight cost for the software, a new hard drive, and about 10 hours to recover lost data.

What if we have a home server that backs up every computer in our home once a week, or a cloud-based solution which performs the backup of our important data regularly? If any household computer was infected by viruses rather than try to clean it, we can just rebuild and restore it in a matter of minutes. This is all because we have created a practice of regular backups; becoming a habit, this will make our life easy.

5. Are your Wi-Fi networks secure?

With Wi-Fi, sometimes we don’t even realize how many devices in our home are using wireless technology. Do you have a good password on your local Wi-Fi network?

If you have a router and still have “admin” or “password” as your password, or it matches your Service Set Identifier (SSID) name or some other easy guessed text, you should really consider changing it right away.

If you have a Wi-Fi Protected Access (WPA) key, then check if you can use WPA3 encryption. WPA and WPA2 are no longer considered secure because it still relies on the unsafe Temporal Key Integrity Protocol (TKIP) encryption, so check that WPA3 cryptographic standards are used. If your router or Access Point doesn’t support WPA3, it’s time for an upgrade. You don’t want someone using your wireless network from across the street.

This scenario looks a little bit over the top, but as I sit here at home, I can see wireless networks for four of my neighbors, and one of them is an unsecured network. Devices like Wi-Fi Pineapple and hardware sniffers can steal passwords, so check your wireless network today and make sure you and your family are safe.

6. Are you using an antivirus software?

Using an antivirus software does not simply mean that it’s installed on the machine and running in background. More so, is it correctly installed? Is it updated regularly? When was the last time you had a complete system scan? Do you check the logs that are produced by the scan? What about on your personal laptops or devices?

Antivirus is just a software, and while it has the capability to protect you, it won’t magically keep you safe. Antivirus can help if we understand its usage and limitations.

We tend to ignore the fact that anything which is connected to the internet tends to attract people from all over the world. It’s our responsibility to make sure that what we have is secure. As aforementioned, the security of data doesn’t happen by accident, we must enable good practices and ensure that our systems are secure.

7. To trust or not to trust?

While trusting someone may seem easy, don’t trust anyone simply. You might not get any phishing emails today, but that doesn’t mean that you are not vulnerable. Say for instance that your bank, Amazon, or eBay send you an email that says you have an account problem, and they have included a link for you to fix this account problem by simply logging in to your account.

Generally, the following features are common among phishing emails and should raise red flags:

  • Attachments or links (highlight them and make sure they are HTTPS or a legitimate link)
  • Spelling errors and poor grammar
  • Unprofessional or unclear graphics
  • Unnecessary urgency about verifying your email address or other personal information immediately
  • Generic greetings like "Dear Customer" instead of your name.

I would recommend that everyone follow these listed security practices and make them your habits, as well as share them out and among your teams. After all, security is not just about making yourself secure, but also how secure you make your environments.

Achal Lekhi
Achal Lekhi
Achal Lekhi is a diligent and detail-oriented Operational Technology Security Specialist Professional with a strong academic background and hands on experience in several complex roles in different sectors. Achal is a quick thinker, with an ability to wear multiple hats - strategic, technical, and logical for a given requirement. He believes strongly that there is no problem in the world that does not have a solution! Currently, Achal works as an Operational Technology (OT) Security Consultant across several industries globally. He has an excellent blend of technology capability, OT/IT awareness, Network and Information Security, and Risk and Compliance with a detailed understanding and experience of Implementing OT Security Cybersecurity Standards.

Related Posts

Cybersecurity Investment Tax Credits

Cyberattacks continue to grow worldwide, which has increased awareness and concern about utilities, indus...
Bill Lydon Nov 30, 2021 5:30:00 AM

IEC Designates ISA/IEC 62443 as a Horizontal Standard

The International Society of Automation (ISA) and the ISA Global Cybersecurity Alliance (ISAGCA) are prou...
Steven Aliano Nov 23, 2021 5:30:00 AM

Architecture vs. Design

Many Operational Technology (OT) projects start with identifying the requirements and then diving straigh...
Achal Lekhi Nov 16, 2021 5:30:00 AM