Feedback: Security

Oct. 28, 2008
Security Death by Committee?

[Editor’s Note: Sometimes letters to the editor are prescient and outrun events. Here’s one we received last month, which fits the issue focus this month.]

I’m worried about the ISA ASCI group being another “Death by Committee.” We already have ISA 99. We have those lovely booklets written up by NIST, again not well known. We have the CPNI in the U.K. The list seems endless.

Why can’t all these people get together and agree on one format, one brand and one approach? I had a quick peek at the new ISA ASCI prospectus. Looks lovely. So I’ll just wait and see what happens, but I’m not hopeful until a really big piece of national infrastructure gets hacked by miscreants.

None of these points are new.

  • SCADA life cycles are extremely long; many deployed systems are never patched, tested or audited—and tight budgets don’t help.
  • Most systems don’t have a protocol in place to even support patching (that is, the live system is patched with fingers crossed), and the ones who must run 24/7 are particularly difficult to patch.
  • Despite all the articles to the contrary about how the controls and IT guys now have big love-ins, I still see the controls guys on the mucky front end, and the IT guys appearing from time to time from the head office. As a result, you still end up with two opposing points of view. I’ve seen everything from corporate-mandated desktop wallpapers and screen savers pushed to HMIs to remote management software to anti-virus software (many AV packages don’t play nice).
  • The rush to wireless.
  • As you know, it is quite normal for a SCADA system to be supported by one or more system integrators, depending on whether the job is driven locally or by head office. This is a two-way street for picking up malware, trojans, bots or whatever. Certainly, the good integrators do their homework and have clean laptops. I’ve seen viruses try to come in the other way from Fortune 500 company control networks. One of reason we have to plug in with our own kit is that run-time versions are deployed and engineering versions may not even exist with a lot of clients. Also, there are many back doors to quickly give logged-in users engineering privileges on the SCADA application or administrative privileges on the local machine.
  • All those DCS, HMI, PAC, PLC and smart sensors, all sitting on the network. We’re adding more all the time, and security isn’t high on anyone’s agenda.
  • How many networks are linked by accident or design to either the corporate intranet or the Internet?
  • Security isn’t  a  particularly important design consideration, and we know how well TCP/IP stacks run in many automation systems. There are many vendors who don’t really understand the problem either. I’ve read many critical articles on what security researchers confront when they approach vendors.
  • It seems that a lot of automation software has reliability issues even in “protected environments.” On too many projects, we have to cobble systems together with hot fixes etc. And, at the end of the day, we’re on a wing and a prayer.

Ranjan Acharya, P.Eng.
Senior Consultant, Grantek Systems Integration
Auckland, New Zealand

In the article “Power to the Process,” p. 126 in the September 2008 issue
, the comment that the integration of the electrical and control worlds “will require considerable missionary work,” should have been attributed to Mats Pettersson, product manager for electrical integration for ABB. We regret the error.