Cybersecurity concerns need to be addressed before connecting industrial assets
Jeremy Pollard, CET, has been writing about technology and software issues for many years. Pollard has been involved in control system programming and training for more than 25 years.
This could very well be the most important column I have ever written. When you are a scribe, you have the ability to talk to some of the brightest minds and most disruptive thought leaders; sometimes, your head can spin. We can get caught up in the hype and marketing of a technology and forget about the implications of that technology, as well as the effects on society and your own back yard.
Right now my head is still spinning with the thoughts of the future and what it holds for me, my kids and their kids.
I am very, very scared, and for very good reason.
Some background first: We are in the technological age where nothing surprises us. We make stuff happen, and we build things. We use commercially available stuff, as well as definite-purpose stuff to make the things we make happen happen.
We are the heroes of “how things are made.” We are also the gatekeepers of our back yards.
Also read: Can I monitor and program using the same remote-access hardware or software?
We used a central control system called a DCS, or for discrete applications we used a PLC/PAC. We interfaced with these islands with SCADA/HMI systems, which, in the old days, were not available to anyone other than the people on the floor in real-time.
We even used relays and hardwired safeties to protect our processes, our infrastructure and our people. We were safe in our environment. We were in control of our environment, and we were comfortable in that space.
What the heck has happened?
I interviewed four very connected and wise people for this adventure, and, along with my own views and opinions, I got more scared than I already was.
My quest was to discover why commercially available security technology for remote access hasn’t been employed and why we think we as an industry need a bigger, more expensive solution. I discovered more than I bargained for.
I spoke with Joe Weiss who is a leading authority on cybersecurity and author of the Unfettered Blog. He had some very interesting views on the IoT and the devices connected to the brains of the process.
Ian Verhappen is a fieldbus guru who shares my thoughts on the ubiquity of OPC-UA and has been involved with security for some time. He weighed in with his thoughts on security of those fieldbus systems that people may just want to hack into remotely.
Marty Edwards, who is the director of the Cyber Emergency Response Team of the Department of Homeland Security, shared his views on why we must pay attention to all things including remote access.
Last but not least, I spoke with Steve Hechtman, president of Inductive Automation who develops Ignition, a SCADA/HMI solution, and has taken the graphics world by storm. He didn’t alleviate any of my fears.
One might wonder how it could get any worse. Well, my distinguished readers, they can and they will. We must change our views and ways of doing things, or we will suffer the consequences of those decisions, possibly for generations.
I hope I have your attention with this. I truly think and feel that we are at a genesis that cannot be ignored—that Internet of Things.
In March 2015, I wrote a column about Internet-enabled Barbie and what it could mean to any space that had wireless Internet access with a corrupted Barbie—the femme fatale.
How would anyone know that she was enabled in the first place or know what she is able to connect to or know what data and/or malware she could introduce to the space she was privy to. There is something about a cute doll and her hardware.
So imagine when I spoke with my four colleagues and discovered that I was not only right to be concerned, but absolutely right to be concerned.
Now to be up front about this, I am writing a column on remote-access technology, which is just one of a handful of strategies that you must pay strict attention to. Quite a few companies have made waves regarding security and access. There are quite a few companies out there peddling their wares regarding point-to-point solutions on remote access. They are expensive and make the proposition of remote-access security a “do you need it?” vs. “do you want it?” scenario.
In fact, I received an email from an HMI vendor telling me that I can control HMI from anywhere in the world using open-source software. Remote control of the HMI means remote control of your PLC. What could wrong with that?
I’ve written about Route1, a multi-factor authentication security company for remote access and security. It is unclear how many intrusions happen from a road warrior vs. an internal disgruntled employee, but if my company needed a remote-access solution, I wouldn’t want them to pay the hostage ransom that some are asking for. Route1 gives users military-grade security and access at a commercial cost, which would be very palatable to most C-suite people and IT departments of any industrial consumer.
We are not in Kansas anymore, Dorothy.
In the mean time, check out The Art of Deception: Controlling the Human Element of Security, by Kevin Mitnick and William Simon. Be driven to be informed, but not by fear.
Homepage image courtesy of hywards at FreeDigitalPhotos.net