On July 24, I was scanning my news feeds (I use Google Reader to subscribe to a large number of news sites via RSS, or really simple syndication—you, for example, can receive Automation World updates the same way) when I spotted a report in “Computerworld” about a worm attack on Siemens process control and its WinCC supervisory control and data acquisition (SCADA) system. I published the link at www.garymintchellsfeedforward.com on Saturday and sent a note to Siemens seeking clarification or amplification. I followed up with more information on Sunday.
I had at least one piece of news daily for more than a week. Siemens responded on Monday, and then sent updates daily. The company jumped on the problem immediately and sent information to me often. Its communication was clear and reasonably technical. The problem was apparently industrial espionage, where a virus writer exploited a hole in Microsoft Windows and published default passwords in Siemens WinCC. The virus is uploaded to a target computer through an unsecure universal serial bus (USB) data stick. One controller was found to be infected in Germany, but it was not apparent that data had yet been sent from the infected computer to its home. This Stuxnet worm had been found mostly in Iran sites up until then.
The method of introducing the virus through a USB stick points to a problem that we find in all our research on both safety and security—management of at-risk behavior. BP seems to be in the news often with major safety problems, first at refineries and now oil rigs. Toyota was in the news this spring with an accelerator problem that its management took way too long to acknowledge and then deal with. Just to show the prevalence of environments of not managing behaviors, the athletic program at the University of Southern California (USC) is now in trouble with its sanctioning body, the National Collegiate Athletic Association, or NCAA, because it didn’t manage the risky behavior of its coaches, who evidently were violating policies.
Drip-drip of bad decisions
The BP problem seems to have come from the buildup of small decisions that accumulated into a big problem. In other words, an environment that didn’t instill disciplined decision-making. That seems to be the problem at Toyota, where current management has lost track of the discipline that made the company great. Same thing at USC. What about your situation? Do you want your name in “The New York Times”, where a technician reported on such happenings as turning off the safety alarm so that it didn’t awaken sleeping workers? Or constant “blue screen of death” computers?
I’m sure you don’t want to be the person fingered for bringing in a USB stick with pictures of the kids that loads a virus that brings down a process. I’m sure you don’t want to be the person who looks the other way as someone continues at-risk behavior that leads to injury or death. The first computer I sold to a manufacturing customer somewhere around 1991 came without the Solitaire application. The area superintendent didn’t want maintenance technicians wasting time with games. We’ve certainly come a long way since those days—for better and for worse.