Database security is often a forgotten task. Many systems in the electric sector provide a means for an organization to utilize a variety of database platforms. Regardless if it is Oracle, MS-SQL, MySql or PostgreSQL serving the historian or energy management system or other control system, there is a need to address the database’s security configuration. The database system itself will likely have several security options. Be sure to review security best practices for the database platform you will be using. Do not assume that the application front-end system will have an adequate level of security. Also, perform security reviews of the connections between application servers and database servers!
[dcwsb inline="true"]
At the tail end of my career, I chose to study and encourage database security. Most of the problems I found were those that could be exploited from within by employees (or consultants!). Most of the other security-technical staff had no idea what I was investigating or suggesting as remediations. In general, because was primarily from the inside, only a few of my suggested changes were implemented by a few database administrators and first-level management, since higher management had trouble understanding or believing in the insider threat. (That’s my personal analysis of the situation.)
Sorry, I hit “submit” too soon. I meant to say ‘because the threat was primarily from the inside.’