I attended a conference a little while back that covered everything you ever wanted to know about control and automation. The conference was sponsored by Siemens, which gave many of the presentations. But there were just as many by other experts, particularly folks who were either partners or customers of Siemens.
I sat in on a bunch of sessions in the security track, as there was a lot of information that, frankly, I was completely unaware of in that space. I’m mostly referring to how vulnerable our networks are, or, more precisely, how vulnerable your networks are.
At first glance, I asked myself, “Why would someone want to hack into somebody’s network on a factory floor?” The simple answer is: because they can. The less simple and more disturbing answer is: because they want to disrupt someone’s business. You’d hate to think that a competitor would initiate something like that, but you never know.
One of the more eye-opening presentations on this topic was delivered by Chuck Tommey, of A&E Engineering. Tommey is a senior controls systems engineer with 18 years of experience in the field. His presentation was titled, “How Hackers View Your Control System & What You Can Do About It.” The quote that got my attention was, “I’m scared silly. Very few plants are even close to thinking seriously about cybersecurity.”
It’s certainly no surprise that the “networked plant” has arrived and is here to stay. You could easily argue that the “networked world” is here to stay. What I learned at these presentations is that cybersecurity is not keeping pace, not by a long shot.
It’s to the point that our government is taking notice and is quite concerned about the issue. In fact, one prominent government blogger recently wrote about how Senators Joe Lieberman and Susan Collins, along with the Department of Homeland Security, hosted a cybersecurity demonstration. The purpose was to highlight some of the hackers’ methods and show how to protect against them.
The blogger, Brendan Sasso of Hillicon Valley, went on to say, “The sessions are part of a push for cybersecurity legislation. Lieberman and Collins, the top lawmakers on the Homeland Security and Government Affairs Committee, are the lead sponsors of a bill that would empower the Homeland Security Department to set mandatory standards for critical infrastructure systems such as electrical grids and gas pipelines.”
A second presentation I attended talked about how to actually implement the security into your network. It was given by Harry Brian and Barbara Fichtinger, both of Siemens. The best piece of information I pulled from this presentation was that security has to be implemented as part of the process, not something you add on later. And, “processes require well-trained people who live them.”
As evidenced regularly by our own Black Hat developers, no network is 100 percent bulletproof. But the harder you can make it, the more likely that the perpetrators will simply go looking elsewhere for a network to break into. Make sure you’re not that “other network” that gets hacked.
What’s your take? Tell us in the comments section below.