Voices: Other Voices

Heartbleed Security Bug Issue Means We Must be Vigilant With Our Industrial Systems

Trust with Verification is Necessary

The Heartbleed security bug is a programming error in an open-source, encryption-protocol layer of OpenSSL. The gist of the bug is that it allows entry into cached memory that would normally be “malloc'ed” (allocated memory by an application) and protected by that application. So if a hacker can get access to that memory space, which now appears to be unencrypted, then the data that's in that space is easily read.

Believe it or not, the Canada Revenue Agency uses this open-source layer to connect to official users, such as accountants and the general public for e-filing.

I subscribe to an investment service whose site was hacked for reasons unknown. The resulting report from the owner of the site was that the version of WordPress was an older version that had known vulnerabilities, and it hadn't been updated.

By whom? Well, it seems that the creator of the website was using a web-hosting service in California that provided the secure platform and the WordPress application and database as part of its service. So the trust was placed with the service along with the developer.

Misplaced trust can be deadly. The result of the hack was simply to replace hyperlinks and direct users to other websites in Europe and other locales, but the results could have been much more significant.

We do trust in the capabilities of those services that we use—banking, downloads, free apps, etc. Free apps? You have to wonder when a flashlight application for your Blackberry wants to have access to your personal info and turns on your location services. But it is free!

The NSA has brought to light the backdoor theory of almost all systems be they hardware or software. We have relied on the powers that be (read IT department) to keep us safe at work. We rely on our ISPs to keep us safe at home. Maybe we should rely on ourselves a bit more to protect ourselves.
The Apple iOS 7 had a bug that sent out unencrypted data over the network. Anyone that does banking with a portable device is nuts. How can you trust that a flashlight application isn't monitoring and sending info to the mother ship?

Trust with verification is needed, which brings me to the removal of support of Windows XP—a new chapter in the life of automation. If we believe in Murphy's Law, things will hit the fan.

I'm guessing about the total here, but the number of SCADA nodes, HMI boxes and programming laptops still running XP must be monstrous. Everyone wants remote access to everything, and if you use XP as an endpoint, there is now a built-in security risk, since no more patches will be forthcoming. The longer you use XP, the more vulnerable you are. It would almost be best to go back to Windows 2000.

It has been estimated that hardware cycles vary from three to six years. Windows 7 has been with us for five years, XP for 13. Because of the chaos with Vista, not many moved to Windows 7, thus the plethora of computers out there with XP.

The U.S. Navy canceled an order for 1,400 iPads because a portion of the BIOS was written in Russia by Russians. No disrespect to the Russian programming community meant, but there wasn't any love given to them by the Navy.

Cloud-based technologies are safe and cost-effective we are told. Really? Great idea, but maybe not the best implementation.

 

While not all issues are security issues, now more than ever we must be vigilant with our industrial systems. Probably even more so in the future. No one knows what the future holds, but one thing is for sure—the evil doers always will be there and they'll be knocking on our door. We must be as informed and knowledgeable as we can. Being our own advocate is paramount.

In God we trust, yes. But in firmware, software and protocols we can't, or at least we shouldn't.

Off-topic final note: ISA's Automation week in North America, which I pronounced dead two years ago, is officially gone. No longer will the paths of professionals of varying technical disciplines cross in the technical session hall of learning. I'm saddened, but also looking forward to what's next. I just don't know what it looks like yet. Condolences to the ISA and congratulations to the organization for providing so much opportunity for so many over the years. Thank you.

More from this voice

Title

Skills Gap is Reality for Adaptive Manufacturing

These Over-50 Operators and Engineers Are the Human Computers of Operations and the Only Thing Standing Between Profit and Loss

08/05/2008

Safety and Security: Two Sides of the Same Coin

A Weakness in Security Creates Increased Risk, Which in Turn Creates a Decrease in Safety, so Safety and Security Are Directly Proportional, but Are Both Inversely Proportional to Risk

03/25/2010

Process Automation: Harder, More Profitable

Success in Factory Automation Is No Free Ticket for Success in Process Automation

03/02/2009

Process Automation Reliability vs. Safety

Is It Possible to Have Safe Systems That Aren't Considered Reliable?

04/07/2014

Process Automation Integrated Systems: A Data-Driven Search for Oil

Integrated Systems Pump Data to Feed the Search for Oil in Alberta

04/08/2013

Pervasive Connectivity: Brilliant Is as Brilliant Does

Pervasive Connectivity Poised to Transform Our Expectations of Industrial Machines

10/31/2013

PEMEX Makes Heat Exchangers Tell How They're Feeling

Many Engineers Are Too Busy to Put a High Priority on Getting and Analyzing Exchanger Data, so Plants Use More Energy, Run at Lower Productivity and Even Experience Unplanned Outages Due to Exchanger Neglect

10/01/2013

More of Our Content Online

Each Printed Page Can Hold Only So Many Words, but Online We Can Fit So Much More

10/08/2013

Modular Still Matters

The Process Analyzer Industry and One of Its Largest User Communities Must Get Away from Building "Steel Copies of Wooden Bridges"

12/03/2012

Modular Procedural Automation Improves Operations

Using a Standard Automation Methodology Also Prevents Incidents by Allowing Operators to Share Best Practices

04/11/2014

ISA100.11a - Fieldbus Wars Round 2 Begins

To Directly Influence the Outcome of This Dispute, End Users Should Vote With Their Time by Participating in the Appropriate Standards Committees

02/25/2013

Interoperability Barrier No. 1: The CIO

According to AMR, 60% of Most IT Budgets Are Spent Attempting to Deliver to 2002 Expectations

06/12/2008

Instrumentation as a Foundation for Profit

What Is the Real Value of Instrumenting Production Processes? Control Engineers Know It. Do You?

02/02/2010

Industrial Machine Performance: The Power of One Percent

Advanced Analytics Delivered through Smarter, Connected Machines Will Transform Industrial Performance

10/31/2013

How to Select the Right Network

Gathering Data from Everywhere

12/17/2013

How Can the NERC CIP Standards Be Improved?

The Requirements in the CIP Standards Are Pretty Good, but They Do Not Address Common Methods of Attacking a Protected Network

12/06/2010

HMI Everywhere

There's a Difference Between Monitoring and Interacting or Controlling. Effective Control Requires an HMI

10/07/2013

Heartbleed Security Bug Issue Means We Must be Vigilant With Our Industrial Systems

Trust with Verification is Necessary

05/08/2014

Getting Up to Smart Speed

Use Variable Speed Drives to Save Money, but Gain Even More by Thinking Strategically and Picking Projects Carefully

09/15/2008

Getting OPC Security Under Control

What Do You Use OPC For? How Does Your Company Use OPC in Its Operations?

08/08/2010