Use the Club, Not the Rotisserie

How to Keep Vulnerability and the Chance of Any Problems as Small as Possible

Share Print Related RSS

Jim MontagueBy Jim Montague, Executive Editor

I've been feeling pretty guilty lately. After a winter of researching and reporting on network security and focusing on extremely dangerous computer viruses like Stuxnet, it's now spring and I've written a cover story on linking the plant floor with the business level.

So, I'm a little worried that even casual readers of Industrial Networking will spit out the latest mouthful of coffee, oatmeal or ham sandwich, and sputter, "What the #%&? You just got done telling us it wasn't safe to go out there!" If I've caused any such reactions, I'm sorry.

Still, the fact remains that plant-floor control and automation can't remain as isolated as they've been in the past. Users and their increasingly web-enabled components are dragged into participating in Ethernet-based networks and often intranets, if not the actual Internet, and they'll have to face some level of vulnerability. So, the main aim is to keep that vulnerability and the chance of any problems as small as possible.

Consequently, as the process safety experts remind me during every safety story, you must mitigate and remove as many vulnerabilities as possible ahead of time, deter as many as you can that remain, and then prepare a thorough and resilient response to any intrusions that do happen by backing up data and having replacement devices ready to go.

For example, remember the Club? Back in the pre-infomercial days of "As Seen on TV," this was a long, red plastic-covered, metal bar that could be locked onto a car's steering wheel, and supposedly prevent thieves from turning it freely. Police officers I covered on my old newsbeat told me even semi-competent car thieves could disable and remove the Club in a few moments, which seems to make it useless.

But that wasn't the point, according to the disclaimer. The Club might not prevent a determined assault, but crooks are usually in a hurry, and so it provided a good deterrent. Why jimmy a door and disable the Club when the next car is not similarly equipped and the one after that is unlocked? As one of the two men running from the bear in the old joke said, "I don't have to be faster than the bear. I just have to be faster than you!"

These same strategies can be useful in industrial networking, even though software viruses move faster and can attack many computers at the same time. Unfortunately, much like thieves, viruses evolve and quickly come up with new attacks.

As a result, good mitigation, deterrence and response means regularly reevaluating and updating security software and tools. I know many engineers and managers would simply like to buy software or a block box to protect their networks. However, these tools are useless—and resulting vulnerabilities are much larger—if plant-floor, IT and business-level users aren't trained to update, patch and use them in genuine cooperation with each other. You can't just "set it and forget it" like Ron Popeil's Showtime Rotisserie Roaster (www.ronco.com), which is another infomercial that's been drilled into our brains as popular culture.

I can almost hear the kicking and screaming now. It might as well be a Tea Party meeting or a lesson in a radical, fundamentalist madrassa in rural Pakistan. Yes, both eventually meet up somewhere on the other side of nuts—endlessly angry that they can't go back to a past when they felt more in control. Of course, anger is just another form of rationalized laziness, and a way to avoid the hard work of cooperation and constructive change. However, while gums are flapping, fists are shaking and sabers are rattling, some less noisy people still grow the food, pump the water, feed and educate the kids, file the records, drive the trucks, fight the fires, patrol the streets, and run the power stations. Who? It's the farmers, parents, teachers, clerks, truck drivers, fire fighters, cops and controls engineers, of course.

These good folks are the true security tools. So, don't just worry about viruses and attacks. Worry instead about what you can do to get your staff to jointly perform a basic security checklist, make a common-sense effort to adopt its recommendations, and then train and retrain themselves to do the same. Much like the Club, viruses and thieves themselves can't withstand a determined and sustained response. Oh, and turn off the TV.

Share Print Reprints Permissions

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments