Voices: Other Voices

Heartbleed Security Bug Issue Means We Must be Vigilant With Our Industrial Systems

Trust with Verification is Necessary

The Heartbleed security bug is a programming error in an open-source, encryption-protocol layer of OpenSSL. The gist of the bug is that it allows entry into cached memory that would normally be “malloc'ed” (allocated memory by an application) and protected by that application. So if a hacker can get access to that memory space, which now appears to be unencrypted, then the data that's in that space is easily read.

Believe it or not, the Canada Revenue Agency uses this open-source layer to connect to official users, such as accountants and the general public for e-filing.

I subscribe to an investment service whose site was hacked for reasons unknown. The resulting report from the owner of the site was that the version of WordPress was an older version that had known vulnerabilities, and it hadn't been updated.

By whom? Well, it seems that the creator of the website was using a web-hosting service in California that provided the secure platform and the WordPress application and database as part of its service. So the trust was placed with the service along with the developer.

Misplaced trust can be deadly. The result of the hack was simply to replace hyperlinks and direct users to other websites in Europe and other locales, but the results could have been much more significant.

We do trust in the capabilities of those services that we use—banking, downloads, free apps, etc. Free apps? You have to wonder when a flashlight application for your Blackberry wants to have access to your personal info and turns on your location services. But it is free!

The NSA has brought to light the backdoor theory of almost all systems be they hardware or software. We have relied on the powers that be (read IT department) to keep us safe at work. We rely on our ISPs to keep us safe at home. Maybe we should rely on ourselves a bit more to protect ourselves.
The Apple iOS 7 had a bug that sent out unencrypted data over the network. Anyone that does banking with a portable device is nuts. How can you trust that a flashlight application isn't monitoring and sending info to the mother ship?

Trust with verification is needed, which brings me to the removal of support of Windows XP—a new chapter in the life of automation. If we believe in Murphy's Law, things will hit the fan.

I'm guessing about the total here, but the number of SCADA nodes, HMI boxes and programming laptops still running XP must be monstrous. Everyone wants remote access to everything, and if you use XP as an endpoint, there is now a built-in security risk, since no more patches will be forthcoming. The longer you use XP, the more vulnerable you are. It would almost be best to go back to Windows 2000.

It has been estimated that hardware cycles vary from three to six years. Windows 7 has been with us for five years, XP for 13. Because of the chaos with Vista, not many moved to Windows 7, thus the plethora of computers out there with XP.

The U.S. Navy canceled an order for 1,400 iPads because a portion of the BIOS was written in Russia by Russians. No disrespect to the Russian programming community meant, but there wasn't any love given to them by the Navy.

Cloud-based technologies are safe and cost-effective we are told. Really? Great idea, but maybe not the best implementation.

 

While not all issues are security issues, now more than ever we must be vigilant with our industrial systems. Probably even more so in the future. No one knows what the future holds, but one thing is for sure—the evil doers always will be there and they'll be knocking on our door. We must be as informed and knowledgeable as we can. Being our own advocate is paramount.

In God we trust, yes. But in firmware, software and protocols we can't, or at least we shouldn't.

Off-topic final note: ISA's Automation week in North America, which I pronounced dead two years ago, is officially gone. No longer will the paths of professionals of varying technical disciplines cross in the technical session hall of learning. I'm saddened, but also looking forward to what's next. I just don't know what it looks like yet. Condolences to the ISA and congratulations to the organization for providing so much opportunity for so many over the years. Thank you.

More from this voice

Title

Solving the Process Safety Puzzle

Integrated Safety Systems Offer One Solution, but No One-Size-Fits-All Fix Exists

05/07/2013

The Can of Worms Is Open-Now What?

Designing a Good Cyber Defense for Your SCADA or Process Control System Is No Longer an Option

09/27/2010

The Care and Feeding of your Weigh Cells

Load Cells Are Super Accurate, but Finicky. Here Are Some of the Biggest Causes of Problems and How to Avoid Them

07/11/2012

The ControlGlobal Boarding Lounge-The World at Your Fingertips

ControlGlobal.com Offers a World of Process Control Information at the Click of a Mouse

06/06/2011

The Future of Process Manufacturing

What Are You Going to Do When Your Most Experienced Operator Retires?

04/03/2012

The Improved ARC Automation Index

Understand the Current State of Automation Markets and Read an Industry Forecast Based on Variables Such as Investment, Consumer Spending, GDP and Other Economic Indicators

01/28/2013

The iPad Hits the Plant Floor

Companies Like Pfizer Have Reduced Time and Increased Efficiency by Putting Apple's Most Recent Showstopper, the iPad, to Use in Manufacturing

11/09/2011

The Operator's Role in Automation

Humans Can Program Equipment, but It Is Unable to Deal With Anything the Programmers Didn't Think of or Couldn't Afford

02/12/2014

The Wireless Hype in Process Automation

With Fuzzy Logic All of the Control Problems of the World Were to Be Easily Solved, Along with World Hunger, AIDS and Environmental Pollution.

12/08/2008

Top 10 Procurement Mistakes

Read about the 10 Supplier Pricing Procurement Mistakes Organizations Face

12/14/2009

Use Suppliers' Pricing Mistakes

Learn the 10 Supplier Errors That Can Put Dollars In Your Pocket

06/24/2009

Value Engineering Finds Millions of Dollars for DCS Projects

Now's the Time to Embrace Value Engineering

10/02/2013

Vibration Monitoring Prevents $250,000 Incident at Braskem

Condition Monitoring Helps Brazilian Petrochem Plant Meet Production Requirements while Avoiding Catastrophic Failure

09/30/2013

Vintner Saves with Distributed Architecture

Automation In Wine Making. Winemakers Are Given the Necessary Tools to Properly Manage the End Product Flow. From Grape Growing to Bottling

08/12/2009

Voices From the Project

Shouldn't Process Automation Technology Be Easier to Engineer, Implement, Operate and Maintain?

10/12/2009

What Is the High-Performance HMI?

Operators Learn to Live With Design Flaws and Often Take the Easy Way Out and Live With the Less-Than-Perfect Systems They Grew Up With

08/03/2012

What the Tweet?!

Follow Us on Twitter. But Why Should You? Why Would You Follow Anybody? In Real Life, That Behavior Can Get You Arrested

02/10/2011

What’s Interoperability and Why Is It Important?

The IICI Develops Industry Consortium Establishing an ISA Interoperability Designation to Identify and Promote Interoperability Standards and Compliant Products and Systems

10/06/2008

Wired vs. Wireless

Wireless Is Not the Same as Wired Without the Copper, and Using It to Its Fullest Potential Will Require Innovative Thinking

01/05/2013

Your A-Z Guide to Process Automation

Process Automation Is a Little Like Any Travel Destination. Even the Seasoned Traveler Needs Direction, and the Newcomer Always Needs all the Help He or She Can Get

02/02/2012