January 2008

Find a security plan and allow it to evolve

By Gregory Hale, InTech, Editor

Dan O'Dowd stood before a crowed conference room and talked about eerie scenarios where security breaches occurred.

"Right now our critical infrastructure is vulnerable to a devastating attack," said O'Dowd, president and chief executive at Green Hills Software, at the company's Embedded Software Summit in Santa Barbara, Calif. "Last year, someone hacked into the Athens telephone system and bugged the prime minister's cell phone. Greece still hasn't found out how it was done."

In addition, he said, cyber thieves snuck into two high profile online stock trading firms and created phony accounts where they then traded funds back and forth.

Not to sound overly dramatic, but take a look at your bank account, then your credit card, then your stock portfolio, then your cell phone. After you get to work, think about your credit union account, your pension, and 401K and all the passwords you use on a daily basis to run your system. 

Then think about what would happen to you and all the people that depend on you if these accounts all disappeared with a click of the mouse. Sound overly dramatic? It shouldn't, because these have all happened at some point over the past few years, he noted. 

O'Dowd went into a litany of possible strike areas. He showed clips from a movie to dramatize the potential. However, the scary thing is the examples he gave were not Hollywood fiction. They could really happen.  

Surely there are people out in the automation industry that say, "Yeah, it can happen to other industries, but who would want to attack a plant?" The answer is anybody can attack at any time for any reason. 

"Security from our standpoint is an arms race," said David Grawrock, principal engineer and lead security architect at Intel Corp. "Attackers will find vulnerabilities, and we have to find them. Let's make it easier for IT departments to protect their platforms. If you don't have control, you don't have knowledge, and you (need to) make changes."

Security is not about suppliers going from event to event trying to scare people into buying their solution. Those days are gone. 

Open technology means just that: Open technology. Most manufacturers understand open technology makes it much easier for hackers to get into systems and take over. That is why a coherent security system needs to be put in place-and adhered to. Will there be one complete solution that will turn the bad guys away all the time? Never. But there needs to be an evolving plan that keeps your plant one step ahead. 

That means the convergence between the IT and manufacturing environments needs to work much better than it has in the past. 

"We are now seeing a CIO influence, with SCADA experts and plant networking involved in more meetings," said Industrial Defender's Todd Nicholson. "Not too long from now, it will become a unified area."

The days of cajoling and scaring manufacturers into working out a security solution are over. The threat is real, and it is imminent. Automation silos should be gone, and everyone should be working together for the greater good. If that happens, this script will end with a happy ending where manufacturers will enjoy safe and secure uptime.

Talk to me:ghale@isa.orgor (919) 990-9275.