One very simple and inexpensive way to hack a companie's network has been described to me, and it would work in a lot of places, particularly those where the system hub is in a closet, not a server room. All a visitor would need is a cheap wireless router and a eternet cable. Plug the cable into the system hub and then into the router, plug in the router, and place it above the dropped ceiling of the closet. The company network could then be accessed by anyone with the router password, within range. And if the hack were discovered, finding the snooper would not be simple, because of the wireless link.
I see what you mean. But Ethernet has been invading the factory since the late 80s, and began to infiltrate the back end--the plant floor--around that time in some industries, even if it was only cobbled together custom attempts at interfacing the control system with early IT networks. So the conflicts began over 20 years ago.
The same volunderability is often found in office building networks where there are wire-closets sometimes left open in hallways. easy instant hacking, with no pesky passwords if the right wireless hub is used.
Rob, that was before the Web, but not before the Internet (I started posting my stories to the Computer Design bulletin board using a 300-baud modem in 1989. For those of you who don't know what that means, it was a very, very slow modem connection to the pre-Web predecessor of a website). In any case, these were not closed loops where I worked, or at the company's customers.
Yes, Ann, I remember the Internet before the WWW. In the early 80s, I worked for a company that prepared articles for sites such as Dialog and sites like Lexus and Nexus. That was back in the day when intermediaries such as special librarians often ran the online searches.
It was a small world with publications such as Online Review and Information Today. I'll never forget when I saw a TV commercial for America Online. I couldn't belive this small online world had spilled over into the consumer world.
Yes, Ann, it was quite a transition from those early dial-up services to the Internet we now know. One significant change is that you no longer need a librarian intermediary between you and the information you're seeking. I remember attending an online conference in the mid-80s. A presenter from one of the major online services (I think McGraw-Hill) demonstrated a page of information. I took about two minutes for the page to load. He admitted that the Internet was not quite ready for consumers.
As one of the co-founders of the SCADASEC e-mail list, Chairman of the DNP User Group, and a voting member of the committee that reviews and writes the DNP3 SCADA protocol (also known as IEEE-1815), this subject is very near and dear to my heart and to my career.
Eric Byres is a well known and highly regarded expert in this field. But there are differences of opinion and there are practicalities that have to be answered.
For example, you could build a perfectly secure system and it would be very labor intensive, and so unusable that the whole process you're working on becomes uneconommical. It's just like trying to build a bulletproof fighter jet. You can certainly protect certain key parts, but you can't protect the whole thing. It would be so heavy that it would never get off the ground.
Likewise with SCADA and control systems, we need lightweight but effective security that doesn't get too far in the way of those who use it and doesn't become so difficult to use that it is cheaper to run operations manually.
The big secret to maintaining a posture of this sort is to keep the data hounds at bay. All this idiotic talk of "Big Data" presumes that someone will "surf" over this data and discover lovely gold nuggets of precious observations that will save the company money. The latter is predicated on gathering the data cheaply. Well, if you want to keep it secure, it won't be cheap any more.
The other problem is that there are too many people with glossy CIO literature who salivate puddles of drool over knowing real time data in the boardroom. No CEO in his or her right mind would want to know data in this detail. It does no good except if you dream of micro-managing your company toward insanity.
There are judgement calls to be made. There are political situations that need to be addressed. And frankly, it is time for some pushback against the "real time" data hounds who have no understanding of the business processes, the industrial processes, or where the leadership of the company wants to go.
We need to get more secure. Of that there is no dispute. The differences of opinion are on the hows and whys.
Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.