Disgruntled employees.. Have ALL WAYS been a risk to an organization.
New technology has done little to change this. (Yes, OK, it creates some new "twists" on "how" security measures are defeated).
Companies will always be dependent on the honesty of employees. No system for a manufacturing/processing plant will ever get around this. Accept this and plan security systems accordingly. There will always be an employee with the "keys to the kingdom".
What has changed. Dependence on physical access for security measures.
Any security that depends on physical barriers is no longer valid. Wireless networks, usb drives, CD drives, etc.. are only the beginning of the reasons why limiting physical access is a lousy security method. Very similar to issues relating to car theft. If the thief is determined and clever, the car will be stolen, regardless of the security systems put in place. A better plan.. assume physical security doesn't exist and plan with this limitation in mind.
Any security that depends on "obscurity" of it's system is no longer valid. A better plan assume your custom system (network, control, security) isn't really so "custom". This illusion is similar to Apple users assuming they are immune to computer viruses.
Multiple levels of networks within a facility.. can be good for security , but not great. It can be great for network robustness (keep the traffic where it belongs). Don't confuse the issues.
Educating to these new realities is the first priority. This is NOT easy. People have depended on physical barriers for security for all of history. It is engrained in to the way we view the world - even how we simply talk (whisper).
Technology is just forcing us to review our perspectives on security (and privacy).
Rob--excellent post. A little scary though. I have one client that absolutely prohibits the use of SmartPhones inside the plant facility. Any emergency call must come into a central office and a specific phone number. The individual needed by the caller is then notified to "call home" or whatever. To do this, he or she must use a landline or go outside to make the call. I actually thought the issue was time away from the job or texting on the job but now I'm not that sure. Do you know what protection nuclear power plants have relative to IT security? I hope this would be the ultimate protection.
It is interesting to see these issues cross over from the Telecom world into the plant control world. In the Telecom(Service Provider) world, IT and Control departments use QA Production Labs to validate interoperability and security needs so that they have have confidence in their networks and their ability to handle attacks as well as perform correctly. The issue of a constant barage of software releases and patches dictates the necessity to stand up a lab for testing using automation to keep up with the flow of these releases. New equipment with new features (not to mention new phones and other network devices for the smartgrid) also warrant this sort of testing strategy just to keep the uptime acceptable for your production environment. We are writting up some case studies for companies that have proved out these concepts and will publishing them soon. Please contact me directly if your want to setup a strategy to prevent your plant from being downed from these new threats.
It seems to me that if a control system is critical, especially to safety. then it should not send ANYTHING through the aether. It's very hard to interfere, either accidentally or intentionally, with signals going through plain old copper wires.
One of my consulting clients followed a wise policy in this matter. All communications within the plant were wired, and if he needed to update a customer's program, he transmitted the software either by delivering a disk, or using a telephone modem which was plugged in ONLY while the program was being transmitted. Of course that meant his programs had to be elegant and compact enough to be transmitted over a limited bandwidth, but his code writers were good at that.
TJ, I design, integrate, and maintain a distribution SCADA system and several plant control systems.
What you wrote about is seen by many as wonderful positive case for remote access. However, you have no idea what might happen if the remote access information were ever compromised. Would it be accessed by a vindictive spouse or child? Is the remote access software hardened enough?
Do note that I have seen SCADA systems built around Java, I have seen remote access software with very insecure hashes, I have seen lots of stories of Android and iPhone malware that gets behind the VPN and does all sorts of rude things. The volume of zero-days and patches on these platforms is frightening.
There really is no way to know with any certainty that the remote access software is safe. It wasn't that long ago that VxWorks, the OS for many embedded systems, was discovered to have used an extremely weak hash algorithm for passwords. A brute force hack against a VxWorks password hash file turns out to be trivial. So how many people know this about VxWorks and how many people know to patch this OS? Damned few.
Let's get serious here: It's not just the control engineers who are flummoxed with all this software. It's the IT departments too.
That said, If you expect long windshield times getting access to a site, if you are running extremely thin on staff, if you do not have remote site resiliency features available to you; then remote access is almost a foregone conclusion, regardless of whether you are worried about the security risk.
I believe that instead of expecting superhero engineers, we should be designing systems so that there is no need for these folk to swoop in and save the day from their iPhone while sipping a Daiquiri in Tahiti. In effect, we need to improve the robustness of the design so that remote access is not needed. Your positive story is not something I would highlight as a good thing.
Even more to the point of government intrusion, big corporations who "donate" to the right political party and have the standards slanted in their favor to get a market advantage that buries true innovation!
And with the revelations of IRS political hacks, this is an undeniable truth even if you live in the land of unicorns and believe our government is benevolent!
I agree, Chuck, cyber intrusion is scarier than papers in a briefcase. I asked once whether it would have been better if plants had kept their systems issolated as in the past. Apparently the benefits of the connectivity ae just too great to pass up.
It won't be too much longer and hardware design, as we used to know it, will be remembered alongside the slide rule and the Karnaugh map. You will need to move beyond those familiar bits and bytes into the new world of software centric design.
Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.