walt_boyes
walt_boyes
walt_boyes
walt_boyes
walt_boyes

Security is more than hating Microsoft

June 1, 2005
In his June editorial for CONTROL, Editor in Chief Walt Boyes believes we are picking unfairly on the security flaws of Microsoft, while ignoring the wider implications of the problem for process automation.
By Walt Boyes, Editor in ChiefRECENTLY, IT WAS revealed that Firefox, the extremely hot new darling of the web browser business, has some critical security flaws. Doesn’t this sound familiar? Well, it should. People both inside and outside the process automation business have been after Microsoft for years because Internet Explorer has revealed one security flaw after another.The press releases from Mozilla Foundation read just like the press releases from Microsoft have over the years: “We’ve found a flaw, and we’re fixing it as fast as we can.”It is easy to blame Microsoft for security issues with Internet Explorer, or with Outlook, or Microsoft Exchange, or Microsoft Server 2003. And yes, Microsoft should do more of what they say they’ve been doing for a couple of years now: spend time and money on plugging security holes before they release new software.But the easy way isn’t the smart way. And in this case, I believe that we are picking unfairly on Microsoft, while ignoring the wider implications of the problem for process automation.The presence of these kinds of flaws, security and otherwise, is a function of program complexity, coupled with the number of people willing to spend time and talent identifying and attacking those flaws. The more complex the program, the higher the potential is for undiscovered security flaws. The greater the number of attackers, the more likely those flaws will be uncovered.It has very little to do with the copyright holder of the software, or the type of license under which the software is distributed.As Firefox has gotten more popular, more hackers have exercised their talents finding flaws. This is exactly what most security experts have been predicting for months. The same thing has happened with popular cell phone operating systems, with Unix, with Macintosh OS X, and with Linux.In fact, for about three years now the number of security incidents reported for Internet Explorer has been consistently decreasing while the number of similar incidents in other operating system environments has been consistently increasing. I bet you didn’t know that.Microsoft’s security initiative is working.Nothing can defend against SSPs (Stupid Security Practices). The best anti-hacking toolset and the most securely designed operating system aren’t going to defend a system where the administrators’ password is “root” or “admin.”Being techies, we tend to think in terms of technical solutions to technology-based problems. Even in process operations, this is a limiting mindset that we need to grow out of. In the case of SSPs we need to eliminate them at the source, which has absolutely nothing to do with technology, and absolutely everything to do with moving to a new mindset about security.In WW II, the end of which we have just celebrated for the 60th time in Europe, there were posters everywhere with the tagline, “Loose Lips Sink Ships.” I think the implications of this are clear, don’t you? If you don’t spend the time, the talent and the money inculcating the security mindset into the people who populate your enterprise, don’t be surprised if you get bitten.We are process automation professionals, not IT folks, right? WRONG.One of the things that is happening very swiftly in this new century is that the line between plant floor automation and IT is blurring and being swept away.We need to be Plant IT folks, and we need to know the entire picture. We are the essential personnel who can do everything in an enterprise from sensors to MES to enterprise IT.