Voices: Pollard

Remote Access Is a Big Problem for Target Corp. and Fazio

Find Out Why Corporations Have a Problem With Remote Access and Cybersecurity

By Jeremy Pollard

U.S. Department of Defense (DoD) Deputy CIO Major General Robert Wheeler's keynote speech at the 2013 ISA Automation event talked about a "Joint Information Environment" of internal and external customers having infrastructure collaboration. I'm quite sure he didn't mean this.

Trying to secure 3.7 million local and remote DoD users across the globe and provide the services and access to digital assets is a daunting task.

How surprised were you when you read about the Target corporate site getting hacked, and personal information flying out the door? Most people didn't pay much attention, because who cares if they steal credit card info or not? But we have to, and we have to do it now.

The ongoing saga of control networks being separate from the "other" network has its proponents and opponents. But when our industry gets blamed for trouble on the other side of the fence, we need to take notice.

The Target breach of security came at the expense of Fazio Mechanical Services (according to krebsonsecurity.com), which could be any one of many machine builders, service companies or individuals.

It seems Fazio had security clearance to have access to the corporate network to monitor and control HVAC systems at various properties—a common practice to save costs during off hours and holidays.

The hackers stole the credentials from Fazio to gain access to Target's system network. Problem #1: The security of the third-party systems must be at the same level as the target system (no pun intended). Was it?

Fazio stated that its IT system and security are in full compliance. Then what went wrong? While the headline reads "Target Hacked," in fact, it was Fazio, HVAC contractor, hacked, and the door was opened to Target, since the hackers had the key, according to Yadron and Zioboro in The Wall Street Journal on Feb. 5.

Here's why corporations have a problem with remote access. No one seems to be able to lock down systems, encrypt data or keep that auto logon box unchecked on the RDP connection.

This a major issue. How can any corporation trust that credentials given out won't be used improperly? The solution seems easy: Don't give them out.

Target's IT department might also be at fault, but it could be oblivious to what an industrial connection can do. Does staff think they're invincible because they're running a free anti-virus program?

Remote access is a big issue that has yet to be solved.

Read More: Tips for Building a Network Security Strategy

Michael Bush, senior technology manager for control architectures at Rockwell Automation, confirmed that most systems in customer's hands use those same compliance standards that Fazio did. "There is no silver bullet," he says, referring to the security issues surrounding remote access.

I've talked about MobiKey from Route1, which has two- and three-factor authentication for remote access. That addresses Bush's major point, which is the lack of definition of entry point. Where does the remote connector actually connect to?

Firewall access, full network access or point-to-point (such as PC Anywhere in the good old days) can help define the function of outside connections.

Bush says many Rockwell customers allow backdoor access to the PLC and SCADA systems for third-party suppliers. It can help with service costs and downtime costs. But with all the players, it creates the entry point issue. Where does the backdoor lead to?

Bush states that Rockwell has to know as much as it can about the systems with which it interfaces, and trys to help those customers with their security needs and wants. But Rockwell isn't in the business of supplying those systems as such.

Target will have to spend $500 million to recover from this breach. Fazio won't be writing a check for that, I'm sure. Target has insurance, but the damage done to the credit card user psyche might be tough to overcome.

Bush suggests that most companies rely on entry point security such as Cisco routers, Juniper firewalls, and front-end infrastructure. That is way outside of scope of any machine builder that simply wants to connect to his machine or cell to provide service.

If the service contract assumed remote access, one wonders what the repercussions would be if that remote access required the use of an ironclad protection agreement from the supplier to the customer.

Target and Fazio have opened up a whole new world. Not sure it's all that comfortable a place.

 



More From This Voice

Title

Remote Access Is a Big Problem for Target Corp. and Fazio

Find Out Why Corporations Have a Problem With Remote Access and Cybersecurity

04/10/2014

The Manufacturing Union Solution

Unions and Companies Need to Build an Environment of Trust and Cooperation, but the Fulcrum Needs to be Availability and Removal of the Disruption Index

03/17/2014

Free Trade and the Small Manufacturer

If Trans-Pacific Partnership Is Instituted, Will It Trample Individual and Corporate Rights, Free Expression, and Intellectual and Creative Commons?

02/13/2014

Companies and Experienced Employees Can't Survive With Out the Other

ISA Automation Week Focuses on the Human Factor and Gray-Hair-Club Component of Automation

01/10/2014

Think Outside Your Industry

Introduction to Building Management and Smart-Device Framework Platform DGLux

12/04/2013

Sleepless in Software City

Using and Knowing More Than One Software Platform and Having More Than One Person Involved Suggests Success

11/06/2013

Programming Software 2013

Why Machine Builders Say Software Needs to Be More Hardware-Aware

10/07/2013

Data Access, Mobility: 'Open' for Business

HMI/SCADA Remains the Biggest Area of Vulnerability. Did You Know Inductive Automation and Opto 22 Offer Free Software?

09/09/2013

Real-Time Collaboration All Together, Apart

How Magor's Cloud-Based, Switched, Visual Collaboration Solution Aerus Allows Multi-End Point, Spontaneous Workflow

08/09/2013

Does an Inconvenient Mistrust Exist in Automation and Discrete Control?

Can We Trust Anything Besides Certain Scribes of Very Highly Regarded Automation Magazines?

07/09/2013

Is There a Technology Learning Curve?

The Causes of Unemployment, Lack of Manufacturing Jobs, and Robotics and Automation Replacing People

06/11/2013

Industrial PC Timeline Marches On

How Automation Changed From Being a Tool to a Solution

05/02/2013

A Canadian Perspective on Jobs

Technology Jobs are Still Here, but the Less-Technical, Less-Skilled Jobs are Not. Why?

04/03/2013

Parallels With Automation in India

There Are Many Reasons as to Why There is a Lack of Automation in India, But at the Top of the List Are Attitude, Fear and Trust

03/05/2013

How HMIs Stylize Our Lives

Advancements in Operator Interfaces Give Processes More Options for the Future

02/07/2013

Mix and Match I/O? Maybe

Though There Can Be Downside Risks, the Up Might Overshadow the Down - Stay Informed

01/07/2013

Motivation 101: How Do You Define Success?

The Biggest Reality Show Is Our Own Lives and Careers

12/06/2012

Transfuse ISA Automation Week

The Concept of a Single Show, at a Single Time, Is Past Its Prime

11/07/2012

SCADA System Hack Forces Control Engineers to Reevaluate Network Security

In the End, Ask Questions of Your Integrator and/or Your Own Developers. Trust With Verification is Paramount, and Disable All USB, CD Activity

10/03/2012

Do We Know Enough About Cyber Warfare?

Can Any Level of Security Detect a Backdoor Approach to a PLC Program, or to a SCADA Screen Control Program?

07/31/2012