Control System Security and Appropriate Vendor Technology

Dec. 31, 2008


Ever since my days at EPRI managing various advanced instrumentation and controls programs, I have had vendors call me with products that are “the best thing since sliced bread”.


Ever since my days at EPRI managing various advanced instrumentation and controls programs, I have had vendors call me with products that are “the best thing since sliced bread”.

There is an old saying that if you are a carpenter, everything looks like a nail. Just because control system HMIs are migrating toward Windows and TCP/IP does not mean that control systems are business IT systems. There are significant technical and administrative differences between business IT systems and field instrumentation systems though differences between business IT and SCADA/DCS HMIs are much less. DOE’s and DHS’s focus have been effectively a repackaging of IT security solutions for control systems.

This has been a mixed blessing – bringing more vendors into the control systems field, but also bringing in vendors with little idea of what makes a control system different and little idea of how it is actually used. Consequently, there is the potential for the cure being worse than the disease. 

One example is an article in the recent issue of a power generation magazine discussing unknown connections with control systems. The vendor posits their technology could have detected and/or prevented the anomalies that caused the Hatch Nuclear Plant shutdown.

I called the vendor to discuss their product in the context of control systems. They have significant experience with Windows, TCP/IP, Ethernet, etc. However, when I asked if they had tested their technology on field devices such as PLCs, the answer was no. In this case, scanning a control system network to determine what devices are on the network could cause an event like Hatch or worse, not prevent it.

There is a crying need for security vendors coming out of banking, finance, health care, DOD, etc (and end-users buying into the hype) to better understand the unique environment of legacy control systems and for end users to question the validity of these technologies before implementing them in critical control system applications.

Joe Weiss

Beginning in January, I will be providing a monthly subscription newsletter. Stay tuned for more details.

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...