When an operator considers cybersecurity, they tend to focus on Legal, HR, and Finance data. This makes sense; intellectual property and personal information security are essential for competitive advantage, and Dodd-Frank, SOC, and FTC regulatory compliance also come into play. But, what about facilities and engineering data? As the hosting of major Capex projects shifts from contractor environments to owner-managed environments, the access required to collaborate with third parties is already accessible through engineering applications; so, what can be gained from securing it? The better question is, what can be lost by not?
A while back, in a meeting with a client, we were discussing the vulnerabilities of remote access to engineering solutions. The client was sure that their engineering applications were 100% secure. To prove it, he provided a guest log-in to their engineering applications hosted environment during the meeting. Within minutes, our team had access to one of their most widely used application’s backend data and environment details. A few moments longer, and we had made it on their internal business network. They were stunned. This could have been a significant safety risk had these applications been hosted in part on their PSN.
So why is no one looking at this type of access as a security breach? For one, the objectives are mostly honest; the perpetrator’s goal is not typically to sabotage or steal, but rather for efficiency to their projects. After all, the data is project information and made available in the engineering application anyway. However, it is not the access to the data that is a concern; it is how the data is accessed. Problems occur when the user bypasses the engineering applications to gain entry into the backend databases. This access to the database can allow contractors to streamline their workflows or practices. This is good, maybe? But don’t let these benign intentions distract from the inherent risks.
There are several potential problems with failing to address security in these engineering application-hosted environments.
Direct and unauthorized access to the database undermines the safeguards built-in to application workflows, by-passes approval processes, and activity tracking.
- There is no way to guarantee that everyone is operating with the best intentions.
- There is no way for a user with knowledge of only one project to fully understand how data is being used throughout the facility on other projects.
- Changes to the underlying data can be disastrous and expensive even when the intentions are virtuous.
With today’s remote work environments and large data projects, it is common for operators to work with several contractors across multiple projects at any given time: all of them accessing the same information. The impact of changing a single data point could have devastating and costly repercussions to others, like a catastrophic failure or tens of thousands of man-hours to fix an issue. Breaches don’t have to be terroristic or competitively motivated to be threatening. They generally come from engineers merely trying to simplify their work by venturing into a restricted area without a sign or lock on the door.
By preemptively implementing an engineering application-based security solution in hosted environments, companies can prevent unwanted access, maintain better data integrity, and minimize the risk of costly mistakes and the potential consequences that are far more costly than a security solution.
ProLytX is an Engineering IT firm based in Houston, TX, and is a leader in this field, coaching clients to success with a unique combination of engineering and IT skills. If you want to learn more about ProLytX and how we can help you bridge the gap between IT and Engineering, find us at www.prolytx.com.