Security: a national priority

By saying, in February 2003, that the protection of control systems had become "a national priority," President Bush set off a flurry of security activities in the industrial sector. We remain, however, a long way from reaching the goal of secure industrial infrastructures. So that an appropriate layer of security can be added, most of the past few years' security efforts have been spent simply...

02/01/2005


By saying, in February 2003, that the protection of control systems had become 'a national priority,' President Bush set off a flurry of security activities in the industrial sector. We remain, however, a long way from reaching the goal of secure industrial infrastructures.

So that an appropriate layer of security can be added, most of the past few years' security efforts have been spent simply sorting out the array of connections that have made once proprietary controls hardware, software, and networks open to the outside world. These audit processes can be painstaking, but are a necessary part of any control system security implementation. At several recent seminars, I have heard security consultants recount instances where, prior to an audit, they were assured that the systems under review had no connections to the outside. In each instance, various connections—typically modems installed years ago for a project long-since forgotten—were easily discovered.

That's all it takes to make your control system vulnerable—one modem buried somewhere in the infrastructure that, quite possibly, no one currently on your staff even knows about.

According to the U.S. Government Accounting Office report on Cybersecurity of Control Systems security experts say that unauthorized access to a control system can be had with a port scanning tool and a factory manual found on the Internet that contains the system's default password—an item rarely changed at installation.

If you're still thinking that control systems can only be breached with great difficulty, consider this. The GAO report also states that a George Mason University graduate student has reportedly mapped every business and industrial sector in the American economy to the fiber-optic network that connects them by using unclassified material publicly available on the Internet.

Another misconception to get past is that someone must be 'out to get' you or your company for your systems to be vulnerable. Think about all the viruses swirling around on the Internet at any given moment. Now think about the Web browser or e-mail program on your HMI. Without appropriate precautions, your control systems are vulnerable.

The purpose of this column is not to scare you, because the problem can be addressed nearly as simply as it was created. But it will require great attention and ongoing effort, because a number of unknowns still exist.

To help you sort through the unknowns, our cover story is loaded with advice from Joe Weiss and Bryan Singer. Both are members of the ISA-SP99 control systems security committee and work full-time in positions devoted to control system security. I hope you find their input helpful.

David Greenfield, Editorial Director

dgreenfield@reedbusiness.com

United States General Accounting Office Critical Infrastructure Protection report





No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Sensor-to-cloud interoperability; PID and digital control efficiency; Alarm management system design; Automotive industry advances
Make Big Data and Industrial Internet of Things work for you, 2017 Engineers' Choice Finalists, Avoid control design pitfalls, Managing IIoT processes
Engineering Leaders Under 40; System integration improving packaging operation; Process sensing; PID velocity; Cybersecurity and functional safety
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Flexible offshore fire protection; Big Data's impact on operations; Bridging the skills gap; Identifying security risks
The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
click me