Alert: Automation World now enhanced for the iPad and iPhone. Watch a quick video preview
Greenfield
Factory Automation
Bassett
Batch Processing
Hand
Process Automation
Reynolds
Packaging Automation
Campbell
On the Edge
Factory & Machine Automation Playbook cover
This one-of-a-kind Factory Automation Playbook is packed with best practices, practical tips and pitfalls to avoid on a wide range of topics, from defining project objectives to selecting components to implementing technologies that can make your automated systems smarter and more productive.

 

Perspective
|

Control System Security: Are Users Missing the Point?

Print Reprint
FILED IN:  Network Security, SCADA
     
Joel Langill, who may be better known as the SCADAhacker (scadahacker.com), is recognized throughout the manufacturing and processing industries for his work evaluating and securing industrial control systems.

In this post-Stuxnet era, Langill says the biggest threat facing manufacturers is still the same threat that existed pre-Stuxnet. That threat is: The general poor level of awareness in the production industries of the real threats and consequences of cyber security breaches.

“Some manufacturers think they’re safe because you can’t blow up their plant by messing with their control systems,” Langill says. “But they’re missing the point, because the threat is not blowing up your plant but having something happen that keeps you from manufacturing the products that contribute to the bottom line, or by impacting your ability to make a product to spec and thus negatively affecting your reputation.”

When it comes to cyber security impacts such as these, every industry is susceptible.

If you remove grand attacks like Stuxnet, which is a threat most manufacturers will never face because of its highly targeted, highly sophisticated and highly funded origins, and look at more common attacks like the Conficker worm, you get a better idea of the real threats and consequences you face.

In case you missed it, last fall SAB Miller released information about what Conficker cost the company based on the loss of production at its Romanian plant during the four hours it was shut down to deal with the worm. During those four hours, the company lost more than $11 million.

“People think the threat comes from bad guys,” says Langill. “But the real threat comes from employees who don’t know what they happen to have in a document that they’re going to open on a computer they shouldn’t be opening it on.”
You have to understand your threat agents and separate them from your threat vectors, Langill advises.

What Suppliers Are and Are Not Doing
Though he sees a number of automation suppliers doing the right things to help manufacturers address security issues, he sees many more who are going about it the wrong way.

“Vendors are not in the business of doing security,” he says. “When they try to do it themselves, the end result will always be inferior to what could have been produced by people who spend all their time dealing with control system security.”

Some of the positive signs Langill sees happening on the supplier front include:

  • Siemens is planning to release a new communications processor that provides point-to-point authentication directly in the protocol. “We know that this issue is number one—the most important thing we need. What they’re doing is ambitious, it’s a game changer, and it shows they’re taking this seriously,” Langill says.
  • ABB and General Electric are partnering with Industrial Defender. “That’s showing commitment to security, not just rebranding people inside your company as security professionals.”'
  • Schneider has been engaging third parties to do assessments and validations on their systems. “They want these outside companies to stress their systems.”

Too many vendors, however, are still not treating security as a real part of their solution. “They still try to do security as though end users just need to follow their practices and buy a firewall and everything will be okay,” Langill says. “In addition, vendors are still not typically offering security assessment and validation during commissioning activities.”

ADVERTISEMENT

One interesting way Langill suggests to help determine the strength of a vendor’s commitment to the security of their systems is to visit their Web site to see if you can find information on security without typing “security” into the search engine on their page. “Chances are, you can’t do it,” he says.

>> Security Sessions at The Automation Conference
Don’t miss your chance to learn directly from Joel Langill about how to protect the control systems in your plant. Joel will be delivering two cyber security sessions at The Automation Conference, May 22-23, 2012. One of his sessions will be focused on cyber security for processing facilities and the other will be directed at discrete manufacturing operations. Sign up to attend at www.theautomationconference.com.

1

Comments

I think you touch on some very good points. But you are also missing points from the vendor perspective. Advertising that your system is secure or includes "X" security is like painting a target on yourself. Most of us have heard about Anonymous or Lulzsec by now. If a vendor was to come out and say they improved their security, groups like them would jump at the chance just to prove them wrong. I think that is a major reason why you don't see Control System vendors highlighting their security features. Now you may say, well look at Google, Microsoft, etc who conduct conferences on security in their products. And although similar, there is a major difference. Consumer based products have a better history of getting updated by their users. Meaning, you start your computer and it tells you that a new version is available for Chrome. Most Control Systems don't get updated for years. Partly because the group typically in charge of the Control System cares more about keeping it working that keeping it up to date. Doing major upgrades causes potential long term downtime and costs for something that "might" happen... the risk is real, but businesses are about reducing costs and increasing profits. They very rarely do something just to do it. Keep in mind that you're talking to an industry that for many years wrote their passwords on sticky notes (and some still do), stuck to the monitor of the computer so that multiple people could login and not forget the password. I'm afraid that we won't see the majority of users take notice until something big happens to raise the alarm. Stuxnet was a push in the that direction, but as you say it was highly targeted and well funded, not something the average manufacturer would expect sent against them. It hasn't been very long yet, wait until competition really gets going. We'll see Stuxnet2 before long.

Add new comment

Newsletters

Don't miss intelligence crucial to your job and business!
Click on any newsletter to view a sample. Enter your email address below to sign up!
Each newsletter ranges in frequency from once per month to a few times per month at most.
IT Delivers on Automation’s Promise
E-Book Special Report
IT Delivers on Automation’s Promise

Sign up to receive timely updates from the editors at Automation World and download this FREE Special Report on the transformative power of data in manufacturing. By integrating information and automation technologies, manufacturers are finally achieving major gains in productivity from their automated systems.

x