Is there a draft in here? I've been reporting and writing about network security for a few years, but I never felt exposed, scared or ill—probably because I'm not personally responsible for a large factory-floor production line or a potentially volatile process.
However, my concern started to ramp up when I began learning about new viruses like Stuxnet that can lodge themselves and hide in PLCs and DCS-based systems, and then launch "man-in-the-middle" attacks that can damage equipment, while at the same time making it look like the network and its components are running normally. I began to get that twinge behind the knees that us parents get when they see their kids start to fall off a jungle gym on the playground.
Jim Montague is the executive editor for Control. Email him at [email protected].
My worry only increased as I researched this issue's "Do Not Slip Up on Security" cover story (INE 2011 Quarter 1, p12) because many folks seem so uninformed about the capabilities of these viruses. For instance, there were lots of statements that Stuxnet was only focused on Iran's nuclear fuel centrifuges (mostly true), that it can only invade via USB sticks (mostly false, because it can get in through laptops and file transfers), and that Microsoft has already issued software patches (true, but more may be needed). There was little or no discussion that other viruses using similar methods are inevitably on their way.
Consequently, if I were a plant manager, I think my first impulse would be to cut all ties with Ethernet-based networking and the Internet. Business-level reporting and remote troubleshooting be damned.
Unfortunately, I'm told that plant-floor turtles no longer can pull their heads in, so to speak, and that their noggins will get stuck or lopped off if they try it. The links that enable remote monitoring and enterprising reporting are just too important because the whole lean-and-mean, just-in-time manufacturing infrastructure that has grown up in recent years depends on them. Of course, many statements that you can't sever Ethernet-based networking ties come from people who sell security systems and services, and so they have a conflict of interest, but they're probably right.
Still, in my usual search for unbiased information, I repeatedly called and emailed several branches of the U.S. government because it's supposed to have so many folks working on "cyber security." These included the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the National Institute of Standards and Technology (NIST), Idaho National Laboratory (INL) and the non-government North American Electric Reliability Corp. (NERC). Unfortunately, though I got through to a few receptionists and people who promised to set up interviews, no one called back or communicated any advice on network security. Now, I'm sure they're all very busy with high-level security projects, but again I'm just glad I wasn't a plant manager with a disabled network.
Several other suppliers and end users reported running into the same brick wall, too. Even most of the best security practices on the ICS-CERT website are five or six years old, as if someone set up the site and then let it grow stale.
I think my situation is even more ridiculous in light of the recent Washington Post series on the huge federal security bureaucracy that grew up since 9/11, which apparently scours vast amounts of Internet traffic to generate reports that no one reads (http://projects.washingtonpost.com/top-secret-america).
So, if your slender amphibian neck is on the line and it's getting cold, what to do? Are there any security blankets out there? Well, the basic advice so far is to deter and mitigate. This means inventory your network and equipment; account for all data pathways into your application and facilities; enable and routinely update complex passwords; turn on and maintain existing antivirus software; identify and prioritize vulnerable points in your network; segment it into functional zones and subzones, perhaps using DuPont's reference model; isolate those zones with firewalls that only allow well-defined, crucial communications; don't allow the use of unchecked USB data sticks, laptops or other data storage devices in your facility; update your company's security and software patching policies, and train all employees to follow them; require plant-floor and IT staffs to cooperate on security issues; regularly back up essential data and software to an isolated setting; and have some replacement equipment and software available and ready to go in case an intrusion disables some of your devices.
Despite repeated calls and emails to DHS's ICS-CERT, NIST, INL and NERC, none called back with input on security. Lucky I wasn't a plant manager with a disabled network.