Keeping safe; tech transfer

Your job requirements likely include keeping present processes safe from electronic intrusion, and considering every advantage that could help speed time to market—such as technology transfer agreements. "During my first 28 years in the industry, I tried to make systems more open, productive, and easy to use.

By Mark T. Hoske, editor-in-chief July 1, 2003

Your job requirements likely include keeping present processes safe from electronic intrusion, and considering every advantage that could help speed time to market—such as technology transfer agreements.

“During my first 28 years in the industry, I tried to make systems more open, productive, and easy to use. We never considered vulnerability,” according to Joseph Weiss, consultant with Kema Consulting Inc. and formerly with Electric Power Research Institute.

Attacks, mischief, disruptions, and damage can be distributed, dynamic, and hard to detect. Don’t think this doesn’t involve you—control, automation, and instrumentation vendors, end-users, and system integrators can all be part of the ongoing problem and solution, Weiss suggests. Smart meters or relays, control systems, and other embedded real-time devices can be susceptible—whether wired or wireless. More than 30 control system attacks have been documented, he says, most unintentional, but some caused facility downtime. Further, Weiss says, at least one set of tools to attack programmable logic controllers is readily available in the Internet. Damage potential can include ability to overflow buffer and kill all programming, including chip-level PLC code.

What can you do?

Check the assumptions that go into how your systems interact with users and are accessed. Do you regularly review security procedures? Ensure default passwords on equipment have been changed, aren’t obvious, are changed regularly, and record who accesses what and when. Account for all external modem and phone line connections. Finally, ensure operations and IT talk to each other and with the company attorney about potential liabilities. If IT is doing the testing, they better have someone with controls experience to help.

Gold mine for the asking?

If you haven’t considered looking at technology transfer from U.S. government-related resources for fear of red tape, you might want to reconsider. It’s gotten easier to take advantage of the billions of research dollars, hundreds of labs, and thousands of researchers working on your behalf, so to speak. Signed agreements have happened in as little as a week, says John M. Bacon, program manager for the next generation sensor initiative at Johns Hopkins Applied Physics Laboratory.

How to proceed? Determine your areas of research requirements, assign a person to the task, search the websites, contact a technology manager, sign a non-disclosure agreement, get technology information, participate in business and technology discussions, execute agreements, and shorten time to market.

Weiss and Bacon were part of the recent 2003 Measurement, Control & Automation Association Executive Forum.

More security and technology transfer tips

  • Control system security tips include the following.

  • Keep software up to date with current, legitimate security patches, and ensure older versions don’t creep back in.

  • Question cycling—is it intentional or malicious? Set systems to acknowledge, handshake, and record any setting changes and their sources.

  • Are you giving detailed control system courses to people who do not have control systems?

  • Think your systems are secure?

  • Try to break something—is the reset automatic upon failing password entry?

Beyond taking heed of security issues to be responsible to customers, employees, and shareholders/company owners, electronic security mandates have begun. The U.S. Federal Energy Regulatory Commission and National Electric Resource Council mandated that corporate electric utility officers sign their names to an undefined “substantial compliance” for cybersecurity by January 2004. Oil and gas utilities are likely next, according to Joseph Weiss, consultant with Kema Consulting Inc., www.kemaconsulting.com.

Where to start with tech transfer

Improving technology transfer requires a starting place, and that can be a number of recommended websites, explains John M. Bacon, program manager for the next generation sensor initiative at Johns Hopkins Applied Physics Laboratory .

See the Federal Laboratory Consortium for Technology Transfer , Association of University Technology Managers , Licensing Executives Society International and National Technology Transfer Center .

For more on visit MCAA .

Direct links to related Control Engineering coverage on security, MCAA, and technology transfer follow.

“Cover Story: Get safe: Prepare for Security Intrusion”

“MCAA 2003: Opportunities, faster gains, M&A vs. sales, listening”

“MCAA 2003: better financials; hit the cycle now”

“Technologies R Us”

MHoske@cfemedia.com