Process control, HMI, and SCADA software programs are becoming increasingly vulnerable to attacks by all sorts of rascals, assorted villains and even lawyers.
Because we operate in an obscure little backwater industry, we are more or less immune to the major problems facing banks, Microsoft and the government"companies and organizations that face attacks on their software and web sites every day.
Recently, some miscreant released huge amounts of Windows source code to the hacker community on the Internet. Thousands of people have now downloaded sections of Windows 2000 and NT operating system code"for what evil purpose? We can only imagine.
Although we may be small and obscure, we face similar problems. Software vendors and OEMs in our industry have to deal with software piracy too; that is, competitors stealing their source code, and then reselling the software at a fraction of the price.
Hackers have been leaving us alone for the most part, but we've heard reports that they are starting to break into utility SCADA systems.
Probably the two biggest problems facing end users are unintended modifications by well-meaning programmers, and lawsuits by greedy lawyers.
In the first case, accidents do happen. For example, your programmer wizard thinks he or she can modify a control system to accept a new device or modify a function, but screws up the job. Soon, the source code is so compromised, the vendor has to be called back to fix it properly.
|
"Obfuscation makes your software harder to steal and difficult to hack,and might just keep the patent attorneys away." |
Software lawsuits are becoming a pesky and expensive problem, as Walt Boyes explained in his column, "The Death of Innovation," (CONTROL, Feb. 2004, p9). Certain companies, who shall remain nameless, are suing end users for buying software that allegedly violates some obscure patent. We can all laugh at some of the ludicrous claims being made, but if a tort lawyer says that your company is violating a patent and slaps you with a lawsuit, it can cost you millions of real dollars to defend the case.
End users are easy pickings, because they tend to fold up like a deck chair on the Titanic when lawyers come calling. These companies eagerly give lawyers a few hundred thousand dollars to make them go away, instead of standing up on principle and spending millions to mount a defense. They know these companies are vulnerable that's why they go after them. Lawyers can be like vultures: they pick on the weak to be there victims.
I think I may have found a solution to the problem: it's a technique called software obfuscation or "shrouding," that is delivered by a $99 software package that might save you from a million dollar lawsuit.
Jon Wieman ([email protected]), a real-time programmer for an aerospace company, developed the obfuscation software. He explains that obfuscation converts a program's source code into gibberish. "My obfuscation program strips all comments and whitespace characters, changes all the identifier names to meaningless nonsense, and moves sections of code into different files," says Wieman. "It also encrypts strings and literals, inserts misleading directives, and adds in unnecessary instructions , such as ANDing a variable with 1. This essentially makes it impossible for anyone to figure out how the program works by looking at the source code."
The obfuscated source code will still compile and run just fine, though. Therefore, obfuscation makes your software harder to steal and difficult to hack, protects it from unauthorized modifications, and might just keep the patent attorneys away from your door.
After all, if the lawyers can't prove in ocurt that you are using patent-protected process, they can't sue you. Because no one can figure out obfuscated source code, nobody will be able to prove anything. All you have to say is, "We don't use that package anymore. We have something different. But you are welcome to try and prove we are using your patented technology. Here's the source code." In other words, show me the patent infringement, tort breath. It may or may not stop them, but it might slow them down.
Look on software obfuscation as you would a firewall. Nothing will stop a greedy lawyer or a determined hacker, but they usually seek easy prey. If you have obfuscated code, then the lawyer has a more difficult job proving a case, so you might be left alone.
I'm no lawyer, so my advice is worth exactly what you are paying for it (nothing). But if there is a chance that hiding your software from prying eyes will keep lawyers and million dollar lawsuits away from your door, you may want to consult your company's lawyers and see what they say about it.
