jim_montague
jim_montague
jim_montague
jim_montague
jim_montague

The only evil

Sept. 6, 2006
There are two kinds of network security. Real and imagined, and it can be hard to tell them apart, especially if you don't know how they work and the problems they're supposed to solve.
MOST FORTUNE cookies these days contain cute sayings rather than actual predictions. However, I got a good one a few years ago that said, “The only good is knowledge, and the only evil is ignorance.” Pretty serious for a cookie, but I’ve also found this simple quote by Socrates to be very useful. For instance, it helps clarify Hannah Arendt’s famous concept of the “banality of evil,” which is the idea that regular people often will follow orders and mass opinion even if doing so is destructive and harmful to other people. Okay, but it sure is easier than thinking for myself.    

For example, there are two kinds of network security. Real and imagined, and it can be hard to tell them apart, especially if you don’t know how they work and the problems they’re supposed to solve. This issue’s cover story, “Fence Me In: Common-Sense Security,” tries to help remedy this situation.

Most control networks used to be hardwired, standalone systems that didn’t require much added security because they were physically isolated, even when they adopted fieldbus technology that tied together dozens of devices.

All this changed with the recent emergence and adoption of Ethernet, Internet, and wireless technologies that can link thousands of devices worldwide. Suddenly, PLCs on the plant-floor could connect to the Internet, serve web pages, update enterprise-level users, as well as pick up viruses and be hacked by intruders. Simultaneously, invasive and malicious software has become so easy to use that a growing hacker community reportedly now uses one-button, “hack and crack” tools.

So, after years of adopting little or no security capabilities, many control and automaton engineers are scared their networks and applications will be hacked and damaged, and are desperately seeking any prescriptive software solution or hardware module that promises to protect their application. And—what a nice surprise—there are about a bazillion suppliers with ready-made solutions. What a relief! Hmm, does it smell like Y2K in here? Oh well, sweet dreams.

Okay, wake up now! Industrial networks don’t work this way, and improving their security can’t be achieved with one-shot solutions. Sure, if you don’t already have them, you must install routers, switches, firewalls, and VLANs to direct and isolate data traffic. However, viruses, bots, and other malicious software are always adapting, and finding ways around static security solutions. Real security starts with inventorying your entire network; identifying every place that data is coming in or going out; drafting IT and plant-floor control staffers to develop and test security policies and procedures; turning on security functions and antivirus software; and training everyone about safe computing practices. You know this, or at least your IT people know it.

So, why do so many users seem to fall for quick-fix security solutions? It’s because doing nothing and then panicking are two sides of the same laziness coin. They look different, but neither side accomplishes anything useful. Unfortunately, if you’re ignorant about genuine network security, then an imaginary solution probably looks just as good—and it’s so much easier than seeking real knowledge! And, similar to recent federal responses to terrorism and hurricanes, if you really don’t know what you’re doing, then you’d sure better look busy when the boss, customers, or voters come around. So, buy any security software package, dump your shampoo and take off your shoes at the airport, invade a couple of countries, whatever, just look busy.

Paradoxically, though hackers using the same code version might seem scary, this too may be yet another one-shot solution that doesn’t require much imagination. So, even though there may be more hackers, they also may be desperately seeking easy intrusion methods. Ironically, the potentially good news is that innovative security developers and knowledgeable users consequently may have an easier job staying ahead of external threats in the future. I guess it really was a good fortune cookie. Thanks again, Socrates.