HOME  |  NEWS  |  BLOGS  |  MESSAGES  |  FEATURES  |  VIDEOS  |  WEBINARS  |  INDUSTRIES  |  FOCUS ON FUNDAMENTALS
  |  REGISTER  |  LOGIN  |  HELP
Comments
View Comments: Newest First|Oldest First|Threaded View
<<  <  Page 5/7  >  >>
Thinking_J
User Rank
Platinum
Some risks were always there and still are.
Thinking_J   7/1/2013 4:34:15 PM
NO RATINGS
Disgruntled employees.. Have ALL WAYS been a risk to an organization.

New technology has done little to change this. (Yes, OK,  it creates some new "twists" on "how" security measures are defeated).

Companies will always be dependent on the honesty of employees. No system for a manufacturing/processing plant will ever get around this. Accept this and plan security systems accordingly.  There will always be an employee with the "keys to the kingdom".

What has changed. Dependence on physical access for security measures.

Any security that depends on physical barriers is no longer valid. Wireless networks, usb drives, CD drives, etc.. are only the beginning of the reasons why limiting physical access is a lousy security method. Very similar to issues relating to car theft. If the thief is determined and clever, the car will be stolen, regardless of the security systems put in place. A better plan.. assume physical security doesn't exist and plan with this limitation in mind.

Any security that depends on "obscurity" of it's system is no longer valid.
A better plan assume your custom system (network, control, security) isn't really so "custom". This illusion is similar to Apple users assuming they are immune to computer viruses.

Multiple levels of networks within a facility.. can be good for security , but not great. It can be great for network robustness (keep the traffic where it belongs). Don't confuse the issues.

Educating to these new realities is the first priority. This is NOT easy. People have depended on physical barriers for security for all of history. It is engrained in to the way we view the world - even how we simply talk (whisper). 

Technology is just forcing us to review our perspectives on security (and privacy).

 

 

 

bobjengr
User Rank
Platinum
I -PHONE
bobjengr   7/1/2013 4:15:06 PM
NO RATINGS
Rob--excellent post.  A little scary though.  I have one client that absolutely prohibits the use of SmartPhones inside the plant facility.  Any emergency call must come into a central office and a specific phone number.  The individual needed by the caller is then notified to "call home" or whatever.  To do this, he or she must use a landline or go outside to make the call.  I actually thought the issue was time away from the job or texting on the job but now I'm not that sure.    Do you know what protection nuclear power plants have relative to IT security?  I hope this would be the ultimate protection.   

Rob Spiegel
User Rank
Blogger
Re: VPN
Rob Spiegel   7/1/2013 1:04:46 PM
NO RATINGS
AnandY, do you know if many plants deploy the security measures you describe?

Rob Spiegel
User Rank
Blogger
Re: Security bypass
Rob Spiegel   7/1/2013 11:15:47 AM
NO RATINGS
I wasn't even aware of that AnandY. That's distrubing. Do you have any idea how IT is coping with that problem?

Rob Spiegel
User Rank
Blogger
Re: Web browsers
Rob Spiegel   7/1/2013 10:49:14 AM
NO RATINGS
Yes, AnandY, the malicious bugs are a huge concern for control engineers. A simple move such as an emplloyee downloading music can have serious consequences.

tsieda
User Rank
Iron
Re: Standards
tsieda   7/1/2013 10:48:03 AM
NO RATINGS
It is interesting to see these issues cross over from the Telecom world into the plant control world. In the Telecom(Service Provider) world, IT and Control departments use QA Production Labs to validate interoperability and security needs so that they have have confidence in their networks and their ability to handle attacks as well as perform correctly.  The issue of a constant barage of software releases and patches dictates the necessity to stand up a lab for testing using automation to keep up with the flow of these releases. New equipment with new features (not to mention new phones and other network devices for the smartgrid) also warrant this sort of testing strategy just to keep the uptime acceptable for your production environment. We are writting up some case studies for companies that have proved out these concepts and will publishing them soon. Please contact me directly if your want to setup a strategy to prevent your plant from being downed from these new threats.   

j-allen
User Rank
Gold
Cyber intrusion
j-allen   7/1/2013 9:51:09 AM
NO RATINGS
It seems to me that if a control system is critical, especially to safety. then it should not send ANYTHING through the aether.  It's very hard to interfere, either accidentally or intentionally, with signals going through plain old copper wires. 

One of my consulting clients followed a wise policy in this matter.  All communications within the plant were wired, and if he needed to update a customer's  program, he transmitted the software either by delivering a disk, or using a telephone modem which was plugged in ONLY while the program was being transmitted.  Of course that meant his programs had to be elegant and compact enough to be transmitted over a limited bandwidth, but his code writers were good at that. 

ab3a
User Rank
Platinum
Re: 3 levels to the plant
ab3a   7/1/2013 8:49:31 AM
NO RATINGS
TJ, I design, integrate, and maintain a distribution SCADA system and several plant control systems. 

What you wrote about is seen by many as wonderful positive case for remote access.  However, you have no idea what might happen if the remote access information were ever compromised.  Would it be accessed by a vindictive spouse or child? Is the remote access software hardened enough? 

Do note that I have seen SCADA systems built around Java, I have seen remote access software with very insecure hashes, I have seen lots of stories of Android and iPhone malware that gets behind the VPN and does all sorts of rude things. The volume of zero-days and patches on these platforms is frightening.

There really is no way to know with any certainty that the remote access software is safe. It wasn't that long ago that VxWorks, the OS for many embedded systems, was discovered to have used an extremely weak hash algorithm for passwords. A brute force hack against a VxWorks password hash file turns out to be trivial. So how many people know this about VxWorks and how many people know to patch this OS?  Damned few.

Let's get serious here: It's not just the control engineers who are flummoxed with all this software. It's the IT departments too.

That said, If you expect long windshield times getting access to a site, if you are running extremely thin on staff, if you do not have remote site resiliency features available to you; then remote access is almost a foregone conclusion, regardless of whether you are worried about the security risk.

I believe that instead of expecting superhero engineers, we should be designing systems so that there is no need for these folk to swoop in and save the day from their iPhone while sipping a Daiquiri in Tahiti. In effect, we need to improve the robustness of the design so that remote access is not needed. Your positive story is not something I would highlight as a good thing.


Jake Brodsky

GTOlover
User Rank
Platinum
Re: Standards
GTOlover   7/1/2013 8:47:18 AM
NO RATINGS
Even more to the point of government intrusion, big corporations who "donate" to the right political party and have the standards slanted in their favor to get a market advantage that buries true innovation!

And with the revelations of IRS political hacks, this is an undeniable truth even if you live in the land of unicorns and believe our government is benevolent!

Rob Spiegel
User Rank
Blogger
Re: 3 levels to the plant
Rob Spiegel   7/1/2013 8:39:16 AM
NO RATINGS
I agree, Chuck, cyber intrusion is scarier than papers in a briefcase. I asked once whether it would have been better if plants had kept their systems issolated as in the past. Apparently the benefits of the connectivity ae just too great to pass up.

<<  <  Page 5/7  >  >>


Partner Zone
Latest Analysis
This Gadget Freak Review looks at a keyless Bluetooth padlock that works with your smartphone, along with a system that tracks your sleep behavior and wakes you at the perfect time in your sleep cycle to avoid morning grogginess.
Siemens released Intosite, a cloud-based, location-aware SaaS app that lets users navigate a virtual production facility in much of the same fashion as traversing through Google Earth. Users can access PLM, IT, and other pertinent information for specific points on a factory floor or at an outdoor location.
Since 1987, teams of engineers around the world have built solar cars to participate in a road race around Australia called the World Solar Challenge, being tested on the race time, kilometers traveled, practicality, and energy used by the vehicles they invent.
An Israeli design student has created a series of unique pieces of jewelry that can harvest energy from default movements of the body and even use human blood as a way to conduct energy.
Made By Monkeys highlights products that somehow slipped by the QC cops.
More:Blogs|News
Design News Webinar Series
7/23/2014 11:00 a.m. California / 2:00 p.m. New York
7/17/2014 11:00 a.m. California / 2:00 p.m. New York
6/25/2014 11:00 a.m. California / 2:00 p.m. New York
5/13/2014 10:00 a.m. California / 1:00 p.m. New York / 6:00 p.m. London
Quick Poll
The Continuing Education Center offers engineers an entirely new way to get the education they need to formulate next-generation solutions.
Aug 18 - 22, Embedded Software Development With Python & the Raspberry Pi
SEMESTERS: 1  |  2  |  3  |  4  |  5  |  6


Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.
Next Class: September 30 - October 2
Sponsored by Altera
Learn More   |   Login   |   Archived Classes
Twitter Feed
Design News Twitter Feed
Like Us on Facebook

Sponsored Content

Technology Marketplace

Copyright © 2014 UBM Canon, A UBM company, All rights reserved. Privacy Policy | Terms of Service