Excellent post, Rich. Security on the control side is an important issue. But it's also interesting that many of the vulnerabilities are related to apps and casual administration of access permissions.
Marc may be right that only 500 people understand the ins and outs of the ever-changing network of control. Just a few short years ago, that number was probably considerably lower. Until recently, nobody needed to know network security in plants. the plants were islands. That's changed. Now the plant is networked to the ERP system, to customers, to vendors, to suppliers. And IT is breathing down the next of the control engineer about cell phones in the plant and downloaded music on plant PCs. The world of the control system has changed, and it's relatively new.
Back in the earlier days of microprocessor hardware, you used to have to " blow " ( program ) a UV prom or eeprom and on the eeprom you had to blow those fuses to prevent reprogramming the BIOS control of a device. The improvement was to add a physical jumper if you needed to program a device.
Now you can alter basic programming on-line. THAT is the biggest security hole ever created!
My security cred comes from both the microprossor and supercomputers; I have worked with both. I also did security on our link to DARPAnet; Cray bought my copy of " The Cuckoo's Egg ".
Something else to consider: you never hear about the truly successful security breaches.
I'm either one of the 500 or one of the people who never make headlines; make your choice...
There is no such thing as complete security; you just have to decide how much is enough, what you are willing to pay for it, and what you will give up in eficiency and convenience to get it. Adobe Acrobat is a notorious security problem because everyone uses it (it's free), and therefore it is an attractive target for internet hackers. You can avoid this by taking your control systems off the internet, like the military does, but then you have to live with the inconvenience of loss of ERP, remote access, etc. You are still susceptable to authorized but disgruntled individuals with thumb drives, but as I said, there is no such thing as complete security.
In 2005 I was working with a major mainframe software supplier on a security writing project when all kinds of security breaches were hitting the news, many regarding missing laptops or online breaches. The supplier had a top team of security experts I got to interview for the project. The federal agency intelligence guy said that the onset of online access to everything was the first major security hole, followed by employees bringing in their own consumer mobile devices like phones and laptops. I thought it was interesting that he placed online access first.
Updating software is one way to introduce viruses or new vulnerabilities. Updating more frequently can adversely impact security.
One way to improve security is to disconnect from the network and physically secure the equipment. Obviously you have to restrict access to trusted employees, and don't give the IT guys access to everything. If the number of trusted employees is small, then it's easier to figure out who sabotaged the machine.
The philosophy that all machines on the network are the same is a dangerous one.
Reminds me of a cyber security expert talking about ways the Stuxnet virus may have been implanted into a network that was physically not connected to any other network. One speculation is "seed" the parking lot or a sidewalk at the facility with a USB flash drive. An employee might take it into their office and plug it in to figure out which colleague "dropped" it......
Excellent post Rich. We have become so dependent upon the internet and search engines available it would be very difficult to work within a structure where there were no internet connections. I do feel this would provide additional security and if you could eliminate "memory sticks" you could go a long way towards ultimate security. This past week, my two grandsons downloaded a version of "Mine Craft" (or something). You guessed it--the game had embedded within code the "blaster virus". For the life of me, I could not eliminate the "bug". $156.00 later and a trip to the "computer store", I come back relieved no apps or personal documents were affected in a detrimental manner. Problem--this is the computer I use for my company. Even though protected by passwords, they somehow got around the security. (Ultimate hackers.) Stuff happens even in the best of environments.
I agree with Rob that Marc may be right in that there are only five hundred people who have an in depth knowledge on matters concerning security. There is no doubt that this number was considerably lower some few years ago. This therefore implies that in the coming years the number will grow ensuring a more elaborate security system.
It is true that many security breaches have taken place owing to the lapses inherent in outdated software. I am of the idea that users incessantly keep their applications up to date and to also ensure that they run only the latest versions of whatever software they are using. Just as a precaution, it would be safer if the users stuck to high end software only as opposed to trying anything that comes to their way
Truchard will be presented the award at the 2014 Golden Mousetrap Awards ceremony during the co-located events Pacific Design & Manufacturing, MD&M West, WestPack, PLASTEC West, Electronics West, ATX West, and AeroCon.
In a bid to boost the viability of lithium-based electric car batteries, a team at Lawrence Berkeley National Laboratory has developed a chemistry that could possibly double an EV’s driving range while cutting its battery cost in half.
For industrial control applications, or even a simple assembly line, that machine can go almost 24/7 without a break. But what happens when the task is a little more complex? That’s where the “smart” machine would come in. The smart machine is one that has some simple (or complex in some cases) processing capability to be able to adapt to changing conditions. Such machines are suited for a host of applications, including automotive, aerospace, defense, medical, computers and electronics, telecommunications, consumer goods, and so on. This discussion will examine what’s possible with smart machines, and what tradeoffs need to be made to implement such a solution.