Voices: Other Voices

Heartbleed Security Bug Issue Means We Must be Vigilant With Our Industrial Systems

Trust with Verification is Necessary

The Heartbleed security bug is a programming error in an open-source, encryption-protocol layer of OpenSSL. The gist of the bug is that it allows entry into cached memory that would normally be “malloc'ed” (allocated memory by an application) and protected by that application. So if a hacker can get access to that memory space, which now appears to be unencrypted, then the data that's in that space is easily read.

Believe it or not, the Canada Revenue Agency uses this open-source layer to connect to official users, such as accountants and the general public for e-filing.

I subscribe to an investment service whose site was hacked for reasons unknown. The resulting report from the owner of the site was that the version of WordPress was an older version that had known vulnerabilities, and it hadn't been updated.

By whom? Well, it seems that the creator of the website was using a web-hosting service in California that provided the secure platform and the WordPress application and database as part of its service. So the trust was placed with the service along with the developer.

Misplaced trust can be deadly. The result of the hack was simply to replace hyperlinks and direct users to other websites in Europe and other locales, but the results could have been much more significant.

We do trust in the capabilities of those services that we use—banking, downloads, free apps, etc. Free apps? You have to wonder when a flashlight application for your Blackberry wants to have access to your personal info and turns on your location services. But it is free!

The NSA has brought to light the backdoor theory of almost all systems be they hardware or software. We have relied on the powers that be (read IT department) to keep us safe at work. We rely on our ISPs to keep us safe at home. Maybe we should rely on ourselves a bit more to protect ourselves.
The Apple iOS 7 had a bug that sent out unencrypted data over the network. Anyone that does banking with a portable device is nuts. How can you trust that a flashlight application isn't monitoring and sending info to the mother ship?

Trust with verification is needed, which brings me to the removal of support of Windows XP—a new chapter in the life of automation. If we believe in Murphy's Law, things will hit the fan.

I'm guessing about the total here, but the number of SCADA nodes, HMI boxes and programming laptops still running XP must be monstrous. Everyone wants remote access to everything, and if you use XP as an endpoint, there is now a built-in security risk, since no more patches will be forthcoming. The longer you use XP, the more vulnerable you are. It would almost be best to go back to Windows 2000.

It has been estimated that hardware cycles vary from three to six years. Windows 7 has been with us for five years, XP for 13. Because of the chaos with Vista, not many moved to Windows 7, thus the plethora of computers out there with XP.

The U.S. Navy canceled an order for 1,400 iPads because a portion of the BIOS was written in Russia by Russians. No disrespect to the Russian programming community meant, but there wasn't any love given to them by the Navy.

Cloud-based technologies are safe and cost-effective we are told. Really? Great idea, but maybe not the best implementation.

 

While not all issues are security issues, now more than ever we must be vigilant with our industrial systems. Probably even more so in the future. No one knows what the future holds, but one thing is for sure—the evil doers always will be there and they'll be knocking on our door. We must be as informed and knowledgeable as we can. Being our own advocate is paramount.

In God we trust, yes. But in firmware, software and protocols we can't, or at least we shouldn't.

Off-topic final note: ISA's Automation week in North America, which I pronounced dead two years ago, is officially gone. No longer will the paths of professionals of varying technical disciplines cross in the technical session hall of learning. I'm saddened, but also looking forward to what's next. I just don't know what it looks like yet. Condolences to the ISA and congratulations to the organization for providing so much opportunity for so many over the years. Thank you.

More from this voice

Title

An Embarrassment of Riches

Checking Out ControlGlobal.com Can Be Rather Like Harvesting a Tomato Patch. There's So Much Good Stuff There--and More Is Added Every Day

10/03/2011

Are Industry Analysts Relevant Anymore?

Does It Make Sense to Subscribe to Industry Research? For Most, the Answer Is the Classic Analyst Response: It Depends

08/01/2013

Automation Processes Are Easy to Listen To

We Have More Than 200 Podcasts on Subjects Ranging From the RS-485 Standard to How to Upgrade Your DCS. Listen and Learn

07/31/2012

Best Practices in High-Performance HMI Design

Having a Solid Foundation to Build On Is Extremely Important, and Having an Enforced Policy That Ensures Compliance Is Just As Important

10/03/2012

Bringing the Lincoln Paper Mill Back from the Dead

Lincoln Paper Wasn't Even a Zombie Company. It Was Dead. Closed. Kaput. Then New Owners Brought in Multivariable Testing to Help Resurrect It Through a Top-to-Bottom Revamp of Procedures, Processes and Plant Culture

05/13/2013

Championship Season for Industrial Instrumentation

How Potash Upgraded Its Systems, Training and Instrumentation Workforce All at the Same Time

11/18/2013

Choose and Manage Your Automation Suppliers Carefully

How Can We Manage Our Supplier Performance to Achieve Optimum Long-Term Results

10/11/2013

Collaboration Isn't Just for People

Today's Collaborative Infrastructure Can Bring Together Devices and Applications, Too.

10/31/2013

Comprehensive Training Prepares Kuwaitis to Take Over Refinery

Workforce Effectiveness Begins With an Assessment of the Customer's Unique Needs

10/28/2013

Could Cyber Terrorists Attack Our Company?

Less Than 25% of the Incidents Recorded in the RISI Database Represent Intentional Attacks on Control Systems

06/02/2010

Demanding Software Security Assurance

Users Wonder, "How Dependable, Trustworthy and Resilient Is My Supplier's Software?"

02/10/2011

Developing Control System Security Standards

Are There Several Standards in the Area of Control Systems Security?

06/01/2012

Do You Really Need to Train Them On...Everything?

Many Times Training Classes Are Ineffective because They Lack a True Training Objective

11/02/2009

Domino Theory

Can ISA88 and ISA95 Knock Down the Barriers Between Batch and Continuous Processing?

09/09/2008

Farewell to Standardization: Wireless and FDI

Will There Be One Standard for Wireless and One Standard for Field Device Integration?

02/06/2012

FDT Expands Its Industrial Network Footprint

FDT Is Like a 'Swiss Army Knife,' Enabling the Viewing of In-Depth Device Information From Multiple Protocols in a Single Environment

11/18/2013

Feeding the Asset Management Beast

Will the Work Underway at IEC on the Digital Factory and Similar Initiatives Help Integrate All the Disparate Standards Into a Unified Whole?

03/07/2014

Fieldbus Is Easy With Portable, Wireless Tools

Why Use Portable Tools? Find Out Its Benefits

04/02/2013

Finding Faults in Enterprise Asset Management Systems

Giant Swedish Mine Counts on an Integrated EAM System to Make Fault Reporting and Predictive Maintenance Easier

11/06/2012

Getting into Discrete

Process Meets Packaging

09/09/2008