Factory Automation
Batch Processing
Process Automation
Packaging Automation
On the Edge
Download this free 94-page Continuous Process Playbook loaded with industry expert advice on topics ranging from control systems, instrumentation, and industrial networks to energy management, security, and system upgrades.

Control System Security: Are Users Missing the Point?

Print Reprint
FILED IN:  Network Security, SCADA
Joel Langill, who may be better known as the SCADAhacker (, is recognized throughout the manufacturing and processing industries for his work evaluating and securing industrial control systems.

In this post-Stuxnet era, Langill says the biggest threat facing manufacturers is still the same threat that existed pre-Stuxnet. That threat is: The general poor level of awareness in the production industries of the real threats and consequences of cyber security breaches.

“Some manufacturers think they’re safe because you can’t blow up their plant by messing with their control systems,” Langill says. “But they’re missing the point, because the threat is not blowing up your plant but having something happen that keeps you from manufacturing the products that contribute to the bottom line, or by impacting your ability to make a product to spec and thus negatively affecting your reputation.”

When it comes to cyber security impacts such as these, every industry is susceptible.

If you remove grand attacks like Stuxnet, which is a threat most manufacturers will never face because of its highly targeted, highly sophisticated and highly funded origins, and look at more common attacks like the Conficker worm, you get a better idea of the real threats and consequences you face.

In case you missed it, last fall SAB Miller released information about what Conficker cost the company based on the loss of production at its Romanian plant during the four hours it was shut down to deal with the worm. During those four hours, the company lost more than $11 million.

“People think the threat comes from bad guys,” says Langill. “But the real threat comes from employees who don’t know what they happen to have in a document that they’re going to open on a computer they shouldn’t be opening it on.”
You have to understand your threat agents and separate them from your threat vectors, Langill advises.

What Suppliers Are and Are Not Doing
Though he sees a number of automation suppliers doing the right things to help manufacturers address security issues, he sees many more who are going about it the wrong way.

“Vendors are not in the business of doing security,” he says. “When they try to do it themselves, the end result will always be inferior to what could have been produced by people who spend all their time dealing with control system security.”

Some of the positive signs Langill sees happening on the supplier front include:

  • Siemens is planning to release a new communications processor that provides point-to-point authentication directly in the protocol. “We know that this issue is number one—the most important thing we need. What they’re doing is ambitious, it’s a game changer, and it shows they’re taking this seriously,” Langill says.
  • ABB and General Electric are partnering with Industrial Defender. “That’s showing commitment to security, not just rebranding people inside your company as security professionals.”'
  • Schneider has been engaging third parties to do assessments and validations on their systems. “They want these outside companies to stress their systems.”

Too many vendors, however, are still not treating security as a real part of their solution. “They still try to do security as though end users just need to follow their practices and buy a firewall and everything will be okay,” Langill says. “In addition, vendors are still not typically offering security assessment and validation during commissioning activities.”


One interesting way Langill suggests to help determine the strength of a vendor’s commitment to the security of their systems is to visit their Web site to see if you can find information on security without typing “security” into the search engine on their page. “Chances are, you can’t do it,” he says.

>> Security Sessions at The Automation Conference
Don’t miss your chance to learn directly from Joel Langill about how to protect the control systems in your plant. Joel will be delivering two cyber security sessions at The Automation Conference, May 22-23, 2012. One of his sessions will be focused on cyber security for processing facilities and the other will be directed at discrete manufacturing operations. Sign up to attend at



I think you touch on some very good points. But you are also missing points from the vendor perspective. Advertising that your system is secure or includes "X" security is like painting a target on yourself. Most of us have heard about Anonymous or Lulzsec by now. If a vendor was to come out and say they improved their security, groups like them would jump at the chance just to prove them wrong. I think that is a major reason why you don't see Control System vendors highlighting their security features. Now you may say, well look at Google, Microsoft, etc who conduct conferences on security in their products. And although similar, there is a major difference. Consumer based products have a better history of getting updated by their users. Meaning, you start your computer and it tells you that a new version is available for Chrome. Most Control Systems don't get updated for years. Partly because the group typically in charge of the Control System cares more about keeping it working that keeping it up to date. Doing major upgrades causes potential long term downtime and costs for something that "might" happen... the risk is real, but businesses are about reducing costs and increasing profits. They very rarely do something just to do it. Keep in mind that you're talking to an industry that for many years wrote their passwords on sticky notes (and some still do), stuck to the monitor of the computer so that multiple people could login and not forget the password. I'm afraid that we won't see the majority of users take notice until something big happens to raise the alarm. Stuxnet was a push in the that direction, but as you say it was highly targeted and well funded, not something the average manufacturer would expect sent against them. It hasn't been very long yet, wait until competition really gets going. We'll see Stuxnet2 before long.

Add new comment


Don't miss intelligence crucial to your job and business!
Click on any newsletter to view a sample. Enter your email address below to sign up!
Each newsletter ranges in frequency from once per month to a few times per month at most.
The best of the essentials!
Secrets to Automation Project Success

Sign up to receive timely updates from our editors and download this FREE Automation Project Survival Guide. It’s packed with field-tested best practices from industry experts that can help make your next automation project a success.