By Jim Montague, Executive Editor
I must admit that the process control security situation looks pretty grim. Potential viruses and attacks seem to be lurking all over the Internet and on the doorstep of every plant-floor control system. Most of the U.S. government's cybersecurity agencies still don't seem to have concrete methods for defeating the most destructive attacks, such as Stuxnet or other zero-day software viruses. Trade group-based standards efforts offer mostly generalized recommendations, such as changing passwords and configuring firewalls, but evidence suggests that many intruders can guess default passwords, circumvent firewalls and use man-in-the-middle capabilities to make compromised systems look like they're running normally. Oh, and most users apparently still aren't changing passwords or properly configuring firewalls anyway. Argh.
Still, I'm not too worried about process security, and it's not just because I'm not responsible for any process applications or equipment. I'm relying, perhaps foolishly, on the belief that process security is likely to unfold in the same way other control and automation technologies have evolved and resolved problems.
For example, back in November 2007, I wrote about counterfeit valves and other components in "Do You Know Who Made Your Valves?" (www.controlglobal.com/articles/2007/370.html). In that article, I learned from Rotork Controls Inc. (www.rotork.com) and the British Valve and Actuator Association (www.bvaa.org.uk) that today's counterfeit valves are copied so precisely that they're almost indistinguishable from genuine valves. So one of the only ways to avoid buying counterfeit valves is constant communication and verification between valve manufacturers and customers. This frequent checking back and forth, sort of like turbocharged FedEx tracking, helps exclude counterfeits from being bought or delivered.
Likewise, I also remember early criticisms of Ethernet were that it wasn't deterministic, and so it couldn't be used in process control settings. Of course, those fears dissipated as soon as simple networking hubs were replaced with more intelligent routers and switches that direct appropriately sized and configured data packets to and from specific devices and at pre-defined speeds and schedules.
Please forgive me if I'm totally off base, but I believe the same checking and verification strategies used to weed out counterfeits from supply chains or make Ethernet deterministic could be used to make process security more effective and easier to achieve. For instance, transmitters could be set up to essentially tell their data packets, "Okay, you guys only go to these specific locations and equipment at this speed and on this schedule—and don't go anywhere else. And, more importantly, receiving devices could be configured to say, "We only accept data packets of this type and size, at this speed and on this schedule—and we disallow all other communications." Much of this data credentialing is already happening, but I'm sure it could be taken further too.
Some of the people I've interviewed agree that more frequently verified communications could help by denying viruses anyplace to go. However, others say that Internet Protocol Version 6 (IPV6) throws all deterministic routing into one hat. This lets bad packets fool PCs or other receiving devices because recipients can't peer into those packets until they're already inside. This is one problem that firewalls with deep packet inspection are supposed to address.
Nonetheless, there has to be a way to solve this problem. The overall data processing revolution made all kinds of computing faster, cheaper, smaller and more powerful, paved the way for the Internet and continues to enable data communications both good and bad. Since both sides have the same tools, it's just a matter of adding new security tweaks as needed, much like an immune system that evolves to counter biological viruses. That's one thing everyone agrees on—successful security never sleeps or even stands still very long. Good luck.