SCADA security is a for whom the bell tolls story. It tolls for everyone in our biz, according to my friend Eric Byres of Byres Security Inc. Byres is working with fellow Canuck, Ian Verhappen, of MTL, to develop and market a plant-floor-configurable firewall with a bunch of goodies for industrial Ethernet, which they claim will protect all devices connected to the plant floor network.
These two industry stalwarts are friends of mine, but I need to play devils advocate, because almost everyone I talk to says the control network should be separate from the corporate network. Virtual LANs provide logical, not physical, separation. Should a device fail, and certain conditions apply, well have a problem, just as if if a rogue Ethernet adapter went bonkers in an IT-owned computer.
There has to be a connection in this vertical world, which puts us in the hands of the IT group. For outside/remote access to happen, they probably wouldnt come through the control network. So why cant the IT guys lock the system down?
A Quantitative Study of Firewall Configuration Errors is a 2004 paper on Byres web site written by Avishai Wool, assistant professor at the School of Electrical Engineering in Tel Aviv. Wool suggests most IT people do not know how to configure a firewall properly. Having just had my remote access set up by a Canadian multinational, I have to disagree.
An IT colleague of mine reviewed the paper, and says claims about topics such as open-ended outbound access shouldnt be valid now.
Regardless of the validity, Wool says the IT guys might not configure the front-end well enough to protect the network. And, says Byres, since we (in this case, the non-IT factory-floor folks, not the machine builders) dont know how to configure and administrate the firewalls and routers ourselves, we need some magic. Enter Tofino.
Byres says his and Verhappens IT firewall can stop Microsoft-based hackers. Tofino sits below the IT protection, and will stop non-Microsoft-based hacks. He knows of a printer that spit out some pornographic spam, so, he says, any device with a processor needs to be secured. I think this is a bit too much fear, uncertainty and doubt (FUD).
Dont get me wrongend users havent taken the outside world into enough account in their control networks. The more we use Microsoft software and web services, the more we expose ourselves to commercial hackers.
But, look, we have enough trouble making our devices do what we want when were sitting right in front of them. The assumption that a hacker in Korea or Chile or Ottawa knows what he has connected to and what to do with it is off the mark.
SCADA does the control stuff. When an operator is logged in, he still should have to enter a data-change password.
If your customers are concerned about malicious damage intentions, what will they ask you to do to secure your machine controls and custom processors? Im not convinced that machine control needs the security front end Byres talks about. Just being on the network shouldnt be the only requirement for a security watchdog. Maybe you can be proactive in the conversation about that customers factory floor.
My colleague watched a hacker try to get into his network. The hacker used an IPSec hole to grab the IP address of the router used in a VPN setup, then tried to get into the corporate network. My buddy changed the router IP locallyin an hour the hacker had the new IP. The hacker couldnt do anything because of the IT firewall setup. And for the record, AT&T, the owner of the VPN, said the intruder was looking for credit card numberssome of their customers reported similar intrusions, and none were successful.
Were not immune, and yes, we need to take care, heed some warnings, and collaborate with customers. But, as a machine builder, I think youre pretty safe.
