Security by default

When it all comes down to it, no one vendor can solve a manufacturer’s security problems, it has to be a joint effort between the supplier and the end user.
That was the consensus during this morning’s vendor panel discussion entitled, “State of Building Security In: Where Are We in That Process?” at the Process Control Systems Industry Conference in San Diego.
The panelists agreed there isn’t one system out there a manufacturer uses that doesn’t include multiple vendors. So, the user needs to know what they want to do with their approach to security.
“It’s a collaborative effort,” said Ernest Rakaczky, principal security consultant, enterprise architecture and integration with Invensys Process Systems. “We are not the enemy. We are here; our vested interest is for users to run efficiently without incident.”
“We need a full holistic view of the entire system even if we don’t own all the parts,” said Paul Skare, director of security and deployment at Siemens. “Vendors need to encourage asset owners feedback rather than an analytical perspective from the back office.”
“We need users to help us bridge the gaps we don’t know about your systems,” said Robert McComber, product security specialist, project manager-INL testing at Telvent. “We can work together to build something.”
As the infrastructure evolves, how security works on a system will change from its current model right now. Instead of patching and adding on security measures, all vendors agreed down the road security will be the default on the system.
“Security should not be a differentiator, it should be a requirement,” said Kevin Staggs, engineering fellow at Honeywell. “Security just has to be there.”
“Our systems can be configured to be secure, but they should be secure by default,” said Dr. Markus Braendle, ABB corporate research. “The challenge for end users is after the system is installed to keep these systems secure.”

FBI, RCMP want to get cyber attackers

There are Federal Bureau of Investigation (FBI) and Royal Mounted Canadian Police (RCMP) investigators all over the place here in San Diego.
While that may be a bit of an exaggeration, the law enforcement agencies are here at the Process Control Systems Industry Conference in San Diego and want to get the word out they need to be a part of a company's security plan.
That is right, they want to catch the bad guys that are hacking into systems, but the agencies just don’t think they are on companies’ radar screens to call when a cyber problem creeps up.
“When it comes to computer intrusions, we are looking at outreach to initiate relationships (in the industry) so you know who to call,” said Scot Huntsberry, supervisory special agent, cyber division/computer intrusion for the FBI.
“We are seeing increases in reports of some attacks,” said Jeff Morgan, process control systems analyst, cyber division with the FBI. “We are seeing more in the water industry, but others are getting hit also.”
As a matter of fact, to show how the FBI is getting more serious about cyber crime, Morgan said he is the first person dedicated to process control security crime. “We are trying our first SCADA case right now.”
Morgan said from his perspective, most criminal acts are coming from outside hackers, which is slightly different from what some industry security experts are saying.
“We have seen insiders are not the main cause of attacks. They get caught the most, but they are not the main cause,” he said.
The investigators said one of the problems they face is attacks are not just bound by country boundaries.
“We have had great success in communicating around the world,” said Clint Baker, sergeant, integrated technology crime unit with the RCMP.
“The FBI maintains legal attachés in 60 countries,” Morgan said. “Things can happen from anywhere and we have had some great success in bringing down bad guys.”
“We are finding we have more allays in the cyber world than we thought we had,” Huntsberry said. “We understand cyber crime does not have boundaries. We have to communicate in real time around the world.”
Both agencies understand manufacturers may be reluctant to release any information about an attack, thinking they don’t want to reveal any important proprietary information. But the FBI and the RCMP said under new laws they are able to keep private company information secret in the course of an investigation.
“We have new legislation that allows no proprietary information gets released,” Baker said.
“The U.S. also has laws that safeguard that kind of information,” Morgan said.

‘Who do you trust?’

Quite a while ago there was a television game show hosted by the late Johnny Carson called “Who do you trust?”
The players were nearly always a man and a woman chosen for their unique backgrounds. Carson would interview the contestants, getting to know them. In the quiz portion, Carson would tell the male contestant the category of the upcoming question; the man would then have to decide whether to answer the question himself or "trust" the woman to do so. Three questions were played per couple, and three couples competed on each show. The show worked off the principal of trust.
Trust and information sharing was the big theme today during today’s keynote address at the Process Control Systems Industry Conference in San Diego.
“It’s beyond viruses and worms,” said Phyllis Schneck, PhD, vice president of research integration at Secure Computing Corp. and chairman emeritus, board of directors of the 26,000-member InfraGard National Members Alliance. “It is how do we take our understanding of the cyber infrastructure; people that know that and how do we share that with each other having to worry about competition, intellectual property?”
InfraGard is an information sharing and analysis effort combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. InfraGard chapters link with FBI Field Office territories.
“There is a lot of data in your organization a lot of things your see that your colleagues can be very helpful and the government can help if there are ways to share that information,” Schneck said.
She built 86 separate communities across the country enlisting private sector organizations that have relationships with more than just the FBI. They would have relationships with Department of Homeland Security, local police, essentially any law enforcement agency in that area.
“We built a core of trust,” Schneck said. “It’s not bout who you know, but it’s who you actually want to talk to and who you trust. It’s about building a circle of trust.”
One of the problems everyone faces when it comes to cyber attacks is “the bad guys have actually mastered it better than we have. How do you find the right people to get the information to?”
"The government has a role, the private sector has a role, we are not doing a good enough job in getting the data out there. We have to do a better job in building that circle of trust.”

Right standard needed for green innovation

Having companies and people go green is the only way to go, however, they have to be able to follow the correct path, said panelists at NIWeek08’s panel on green innovation today.
Knowing a company has to go green and then implementing a plan is a key, but everyone has to be on the same page.
"Standardization allows people to speak the same language. When talking about a project in one country and it transfers to another country and if it does not follow a certain specification, it could be a problem,” said Daniel Kaminsky, a director at Elcom, a power measurement company based in Ostrava, Czech Republic.
“We need to standardize to understand the true benefits of green,” said Don Brown chief executive of EcoVelocity Associates, an international consulting firm that specializes in developing eco-product and service strategies.
“I agree we need a standard, but worse than not having a standard is having a standard that leads you down the wrong path,” said Deborah Estrin, director of the Center for Embedded Networked Sensing (CENS) and a professor of computer science at UCLA.
While everyone agrees there should be a standard way to accomplish any green initiatives, but is there one solution or a multitude?
“One of the biggest challenges is to share with people what the benefits to being green are,” Brown said.
“There will be a lot of answers,” said Dr. James Truchard, president, chief executive and co-founder of National Instruments. “I see lots of little answers. There are a lot of different ways to solve the problems.”
Any type of solution will not be universal. “It all depends on where you are and which part of the world you are in,” said Thirumalaichelvam Subramanian, chief technical officer at CEMS, a chiller management company based in Malaysia.
One answer Truchard talks about is fusion technology.
“We went to the moon. We should have the same effort toward fusion power,” he said. “That,” he said, “could be the home run.”
Renewable solar and wind power have potential to help cut down on burning carbon-based fuels to create energy, but as Manuel Gonzalez, with Houston-based Center Point Energy, said, you can only gain energy from those sources at certain times of the day and people need energy 24 hours a day.
“What is needed in the future is a good energy storage system to get energy when you need it most,” Gonzalez said.
“Nuclear power has a bad reputation, but that may help as an energy source,” Truchard said. “Solar and wind have limitations. There will be quit a few solutions to the problem.”

Future plans in real time

Jeff Kodosky lives in the present, but is always looking ahead.
That just goes to show how the father of National Instruments’ flagship software product LabVIEW thinks. He is always looking two or more versions ahead--at least.
“The scope has expanded from virtual instrumentation to graphical design,” Kodosky said this morning during his keynote address at NIWeek08 in Austin, Texas. “We now have an enormous amount of power on our desktops” that we need to utilize, he said. “Our machines also have powerful high performance graphics processors to take advantage of.”
But that is today, said Kodosky, who is a co-founder and business and technology fellow at NI. In the future, systems will just be different.
“The architecture of our machines will change over the next decade. The machines will be massively parallel,” he said.
Storage of huge amounts of data will also increase.
“I talk to our new hires and talk about the day when you couldn’t hold your entire music library in your shirt pocket. They just smile and indulge me. It won’t be long before we store petabytes (A petabyte is a unit of information or computer storage equal to one quadrillion bytes or 1,000 terabytes).”
“One of our major goals is to harness the huge graphical issues,” he said.
Part of the way to accomplish that is to keep pushing and utilizing multicore processing.
“One of my favorite quotes about multicore processing comes from Apple's Steven Jobs, who said, ‘nobody knows how to program those things,” well Mr. Jobs we have a room full of people that can program those things,” said Mike Santori, NI business and technology fellow during his portion of the keynote address this morning.

NI: Finding a way to measure green

Green is the word if you talk to National Instruments.
“The key to green engineering is understanding the very complex issues we see around the globe,” said NI President, Chief Executive and co-founder Dr. James Truchard, sporting a green shirt during this morning’s keynote address at NIWeek08 in Austin, Texas. “The second part is fixing it. We can measure, acquire, analyze, and present and then fix it in terms of design and deploy. We can find out what the problem is and then solve it by the design process.”
“Fundamentally,” Truchard said, “we see this as an opportunity to make a difference in the work you are doing.”
“You are working at creating a new idea on how we can be more energy efficient; how we can be more environmentally sensitive reducing pollution all the way from wind mills to steel mills.”
Truchard wanted to reiterate how important the green movement is becoming.
“There is a definite emphasis on this area. It is important and you are coming up with some interesting products in the process,” he said.
This morning wasn’t all about green engineering. The company also focused on more of its key growth areas like wireless, embedded and multicore processing.
“We want to do for embedded what the PC did for the desktop,” Truchard said. “In other words we want to create a framework where software can be reused and applications can be shared in a community with ever growing momentum.”
"We seen multicore (processing) being a major step forward. We will be introducing even better capability making our analysis algorithms multicore aware so we can once again improve the efficiency of multicore as well as what LabVIEW does with a fundamental parallel approach," he said. "We see a supercomputer on every desktop. These are the next generation of computers with very powerful processing capabilities to solve the hardest problems on the planet."
NI is also making a bigger leap into the wireless market. While they have been in the area, the company is now pushing big research and development dollars into wireless.
“Wireless is everywhere and it is the biggest expense in our R&D area these days,” said Tim Dehne, NI senior vice president of R&D.
“We are introducing WiFi data acquisition products that will allow you to do your job in a better way,” Truchard said.