So what should we do about security? #pauto #cybersecurity

July 21, 2010

OK, faced with the Siemens vulnerability, which could have been anybody else's vulnerability just as easily, what should we do?

I've been accused of being an apologist for vendors, but that's not what I am. As long as end-users are accepting (and many cases, specifying) software that runs on Microsoft Windows and Windows Server versions, these vulnerabilities will show up. I am a realist who's had a career in product marketing, sales, and new product development, and I know from the inside what it is like.

OK, faced with the Siemens vulnerability, which could have been anybody else's vulnerability just as easily, what should we do?

I've been accused of being an apologist for vendors, but that's not what I am. As long as end-users are accepting (and many cases, specifying) software that runs on Microsoft Windows and Windows Server versions, these vulnerabilities will show up. I am a realist who's had a career in product marketing, sales, and new product development, and I know from the inside what it is like.

Yes, the vendors offer their software on Windows, but they would change if the end-users told them to. If a bunch of end-users said they'd no longer accept Windows operating systems but wanted Linux instead, AND THEY WROTE THEIR PURCHASING SPECIFICATIONS THAT WAY, you'd be amazed at how fast software would be ported to the Linux platform of choice.

Should Siemens and the other vendors do more? Well, sure. But how much testing, in increased time to market and product cost and sales price increases are the end-users willing to accept, or will they push for faster delivery, faster upgrades, faster, faster, faster-- as BP appears to have done with the crew of the Deepwater Horizon. This doesn't excuse the vendors. This is, however, a legitimate question. Are you willing to wait 5 years between major upgrades? Are you willing to pay 2x the current prices to pay for the additional security testing? 3x? 4x, 5x or more?

But just as BP has stepped up to pay for cleaning up their mess, Siemens has stepped up and is working feverishly on a way to close this hole. So is Microsoft.

Much has been made of the hard-coded passwords in the WinCC product-- well, this isn't something that only Siemens does. This is something that is often done, so that in an emergency, supervisors and even telecommuting instrument engineers and techs can get into a machine quickly. Are there other ways to do this? Probably. But until the production of cheap biometric locks in the past couple of years, it was hard to do.

Much more should be made about the fact that the Realtek certificate was forged. If we cannot trust institutions that were specifically set up to foster trust, we're really in trouble.

The bottom line is that ANY software has vulnerabilities. It is between the vendor and the end-user what vulnerability level they are willing to mutually accept. End-users can always try to get laws passed to force vendors to be even more responsible than they are now. But those same end-users shouldn't come crying when the law of unintended consequences reduces their choices and raises their costs.

Furthermore, vendor companies ARE responsible. They have the hideous example of Citect, which thought it was trying to comply-- hounded out of business. Citect still exists, sort of, buried within the Schneider organization.

Before you blame Siemens, or Microsoft, for this situation, just remember how much responsibility we all bear.

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...