The people in IT are tasked with keeping company data safe. A problem arises when users fail to take into consideration the risk that unsecured devices can pose. When IT tells them that they need to time to research securing such devices the end user gets upset and complains that IT is being difficult. In my experience, IT does not start the "war", it is the end user that is trying to introduce an insecure device into the environment. Generally, IT is not given sufficient time to evaluate the device because the end user wants it NOW! The iPhone was a consumer device which was unsecure when it was introduced into the market. At that time Apple was very uncooperative with issues dealing with security. It was only after the IT departments in companies that were concerned about sensitive data starting pushing back that Apple finally started addressing security issues. IT is here to protect the end users from themselves. End users do not understand the implications of bringing untested technology into the environment. We all like to have police officers around except when we get a speeding ticket. Let your IT department do their job and protect your company.
I'm not sure of the relevance of the comment I'm about to make, but...I was recently researching a slideshow on engineering criminals and was amazed to discover, not only how young some of the best hackers were, but also how few of them had engineering backgrounds. In fact, the majority had only high school educations.
I agree with you. People need to think about their use of technology, before creating life style choices and communications methods based on poor premises.
Sometimes an email .. even across the room.. can help document and clarify an issue within an organization. Other times , it is just a poor substitute for talking.
People need to choose the right tool for the job.
Before anyone down loads and uses a smart phone app... think! (about all the implications/consequences).
Trustworthy employees, educated to think about security and appropriate use of technology.. are likely the most important security features a facility can have.
Trying to provide additional security via standards is a noble idea. Doomed to failure without trustworthy and educated employees in place.
I digress a bit here.....
Much of corporate America has been trained NOT to trust their employees. Reasons are many, but biggest is because much of upper / middle management are not trustworthy themselves.
Good or Bad... NSA has to trust subcontractors like Eric Snowden for their networks. Let's face it .. the best IT administrators generally don't come with military backgrounds (with ideals similar to NSA, CIA, etc...with loyalty to their oaths). In fact, a large portion of network security specialists come with anarchy (hacker) back grounds (independent ideals trump oaths). NSA seeks out new employees at hacker conventions!
The NSA needs and hires these people assuming they can control them (don't they think like us?).
Yea... I don't like generalizations either... but you get the basic idea.
Facility security conflicts will not be resolved with technology alone. Resources should be applied to bigger issues (people) .. before being applied to the lesser (technology).
It is a similar situation with large facilities management. And not any easier to resolve.
You obviously know more about this stuff than I do. I tell people, "I know how to do what I know how to do on a computer and everything else is witchcraft."
However, it is apparent that the more we depend on computers to replace things which were once done on paper, the more these sort of problems will exist. I do not want to return to the days of old, but when I see two employees e-mailing each other across a vast chasm of 20-30 feet, methinks this is a ridiculous use of technology. When my wife and kids spend 30 minutes or so texting each other information that could have been handled in a 45 second phone call, it bothers me. When some company has their payroll handled in India because a saves a few bucks, I am not sympathetic when their bank records get hacked.
You are right in that I do practically nothing in which anyother company would be interested and the only hacker I need to worry about is some kid fooling around. I cannot say that I am disappointed by that.
While I agree that a wired, closed system is likely more secure than a system with internet access or wireless access.. It isn't really that much more secure from a disgruntled employee (my earlier point). Or if you really have a high value target (for industrial espionage or military).. physical barriers can still be breached without notice.. if the incentives are high enough.
And just because Stuxnet was exposed .. this didn't do ANYTHING to eliminate it. It cannot be easily removed from the MILLIONS of computers infected with it (it resides on the motherboard , not the hard drive). And why bother to remove it? It doesn't do anything unless you are running centrifuges with Siemens controllers. It is VERY possible you viewing this on an "Stuxnet infected PC". Do you really know the source of your BIOS? Do you verify your CNC machining centers to be free from hidden access codes? Most motherboard manufacturers use a handful of BIOS suppliers, regardless of PC brand. And the BIOS suppliers? They use programmers from all around the world.
Just because a "system was defeated once" .. doesn't really mean anything in protecting against it in the future in this case. It is beyond many manufacturers of equipment to really review ALL of the code in their machines. They buy device drivers, RTOS, bios, etc.. because the complexity is beyond their ability or the price is right. Should the world require ALL code be re-written by each company making equipment?
Are you prepared to test the security of all the devices on your internal network? Do you have access the the source code for all your equipment?
Can you say you have access to the quality of manpower required to do this job when there is a world of professionals trying to break in - undetected?
The reality: You really don't know how secure your facility is.
The likely situation? Your facilities real security resides in the fact, it is not a worthy target for professionals...
Which leaves you protecting your facility from curious kids or disgruntled employees..
The solution is deny yourself and employes possible methods of be more productive (smart phones/remote access)?
That may be reasonable for a some facilities. Not so reasonable for others.
Those responsible for a facility need to understand the issues, trade offs, risks and actionable items .... regularly.
I agree, Notarboca, that standards can be more of a problem than a solution. The WIB certification may be of some help, but it's still an unknown. Meanwhile, plant systems are becoming increasingly open to outside technology
Thanks TJ. That remote access, however, is still a vulnerability. So far IT and control managers are not playing well together. Their priorities are in direct conflict. It will be interesting to see where this goes in the future.
Focus on Fundamentals consists of 45-minute on-line classes that cover a host of technologies. You learn without leaving the comfort of your desk. All classes are taught by subject-matter experts and all are archived. So if you can't attend live, attend at your convenience.