31 May 2001

Security problems keep increasing

by Bob Felton

E-manufacturing raises the stakes, makes security everybody's job.

"The agency," cryptology historian David Kahn wrote of the National Security Agency in 1967, "may well keep a team examining cryptograms in a given system for two or three years, even though it has had no success, in the hope that one of the cipher clerks may someday blunder and open the way to a solution. For in modern systems, properly used and with frequent key changes, a cryptographer's error is the cryptanalyst's only hope."

Kahn's observation that errors are the cracks attackers exploit to jimmy their way into secret communications is as true today as it was 35 years ago, and some hackers are as tenacious and ingenious as the Bletchley Park eccentrics that wouldn't quit till they'd whipped the Nazi Enigma machine. Presently, thanks to instantaneous global communications among millions of desktops via the Internet, representing every possible gradation of user and administrator know-how and conscientiousness, pickings are pretty good for e-thieves.

Today, as enterprisewide networks reach the plant floor and zip data to the far side of the world in a twinkling, and as the number of computers, personal digital assistants, telephones, and pagers communicating with the network increases, there is a corresponding increase in the opportunities for a critical blunder that would allow an attacker to enter your system.

The consequences could be ruinous. According to a recent survey by the Computer Security Institute, the cumulative loss of 186 companies that quantified their losses in 2000 reached $378 million, or about $2 million each. Roughly $151 million of that loss was theft of proprietary information-information your competitors want.

One of the best places for plant engineers to learn about network security, besides brown bagging with a peer in information technology (IT), is at the Computer Security Resource Center, a Web site established by the National Institute of Standards and Technology (NIST). There you'll find primers that explain security issues and technologies, news about current problems and security initiatives, and downloadable copies of the standards that govern electronic communication with Uncle Sam.

One of the most useful items at the site is the March 2001 draft of the "Self-Assessment Guide for Information Technology Systems," a comprehensive questionnaire that assesses data security from every possible perspective, from cooling fans at the chip to physical security and labeling of backup disks. Originally developed for the use of U.S. government IT personnel, the questions can teach plant engineers a lot about security and the problems confronting network managers:

Does building plumbing endanger the system?
Have you performed a consequence assessment that estimates the degree of harm or loss that could occur?
Do your emergency exit and reentry procedures ensure that only authorized personnel reenter after fire drills, etc.?
Do you sanitize media before reuse?
Do you share incident information and common vulnerabilities with interconnected systems?
Do you maintain a current list of authorized users and their access?
Do your security controls detect unauthorized access attempts?

Careful reading and consideration of the questions make it clear that the electronic ganglia tying together the extremities of the modern manufacturing plant are susceptible to attack across many fronts and that security is everyone's business. More than ever, it's vital that plant engineers work effectively with IT to identify potential breaches, shore them up, and train everybody to be security conscious.

Nor is it only NIST that's getting into the act. The National Infrastructure Protection Center was created by Congress to defend the nation's computer networks by serving as the national focal point for gathering information on threats to critical infrastructures. It is the principal means of facilitating and coordinating the federal government's response to an incident, mitigating attacks, investigating threats, and monitoring reconstitution efforts. The center issues updates about new viruses, Internet frauds, and disruption attempts almost daily. It is located in the FBI's Washington headquarters and maintains its own investigative staff.

Cybersecurity isn't an exclusively local matter, however: A complaint filed by the U.S. Attorney for the Southern District of New York provides an instructive example of the reach of today's e-thieves. The complaint alleged that Oleg Zezov and Igor Yarimaka, residents of Kazakhstan, penetrated the computers of Bloomberg.com, in New York, and demanded $200,000 from the company to tell how they had done it. Bloomberg agreed to pay but only following a face-to-face meeting in London. There, accompanied by undercover London police officers, Bloomberg met with Zezov and Yarimaka. They repeated their demands, and police arrested them the next day. The U.S. is now seeking their extradition. IT