After spending nearly a decade following the enterprise software business and nearly another decade in the automation and control space (note that neither instance was a full decade — I’m not that old yet), I thought the old saw about the disconnect between the industrial automation and IT communities had become just that — an old saw. And it seemed to be an old saw whose time had come and gone. Apparently, I was wrong.
Consider this: Over the past decade numerous automation engineers have moved into the IT ranks to help ease the issue of connecting the two islands of information. On top of that, deep down we all knew corporate demands for information access were going to win out over a plant floor engineer’s demand to keep his/her automation area an island unto itself. So combine these two realities and you have an old saw ready for the dustbin, right?
Well, while attending the ODVA conference this week I sat through a presentation on the topic of industrial automation security delivered by Eddie Lee of Moxa (a provider of device networking products) and Paul Didier of Cisco (you know who they are). During the presentation, one of the first points brought up was that, in the IT space, confidentiality, integrity and availability are the most critical data issues and in that order of importance. In the automation space, the exact opposite is true. After all, IT will shut down the entire system in a heartbeat if any sort of critical disconnect occurs. The automation crew, however, will only do the same if the cost of shutting down production is viewed as being the more beneficial route. Their bottom line is to keep the plant up and running at all times.
Having that mindset is great for operations, but a potential threat when it comes to security. To address that issue, Lee and Didier have been working through ODVA over the past few years to create a white paper that addresses security best practices for isolated single controllers, isolated multiple controller environments, and enterprise connected controllers. The white paper is planned for release shortly.
Two major issues getting in the way of effective industrial automation security that Lee and Didier pointed out are:
- When engineers do concentrate on security, they tend to spend more time worrying about protecting the system from a terrorist attack when they should be focusing on addressing the real issues behind most security breaches, i.e., disgruntled employees who have full access to the systems, post-it notes with system passwords plastered throughout the plant, and inadvertent accidents.
- Many engineers tend to wait until a real security problem occurs before doing anything about it.
During the presentation, one person in the audience noted that the best practices Lee and Didier were presenting in the white paper seemed very obvious at this stage of the game. “Isn’t everyone aware of these best practices by now?” the attendee asked.
Lee and Didier agreed that with all the communication that has taken place around this issue over the years, it is not unusual to think that everyone is up to speed on this. But their experience in the field has proven that is not the case.
With the news generated in the last year around the Stuxnet virus, I myself continue to wonder why more automation system designers aren’t finally getting concerned about security.
All of which brings us to the barbecue connection. To understand where I’m going with this, check out the video link below…