pollard
pollard
pollard
pollard
pollard

Got cybersecurity?

May 10, 2017
Industry should be embracing best practices, not ignoring its importance

This is not a sales pitch. But maybe it is a call for help or even maybe a battle call for users everywhere. I am officially very afraid of what our future holds due to the lack of perceived importance of cybersecurity at almost all levels of our industries.

I have been researching for a presentation at the 60th Annual ISA Power Industry Division (POWID) Symposium in Cleveland in late June. I was also asked by a company called Route1 to do some market research for them in critical infrastructure.

Route1’s flagship product is called MobiKey which provides “guaranteed” secure remote access for mobile desktop replication from any device. “Woo hoo,” I thought.

Well, then I was enlightened. We need to be very concerned as to how we do business remotely especially with bring-your-own-device (BYOD) and the need to be kinetic.

My travels took me too many blogs, boards, vendor and regulatory sites such as ICS-CERT, NERC, ISA, IEC, SANS and many more. The amount of information was overwhelming. And I mean overwhelming. Did you know there are 76 security certification designations?

One wonders how effective our security forces are with so many issues that face us.

And the biggest by far is the virtual private network (VPN). We think it’s safe, but we are mistaken. The CIA/Wikileaks documented tools to hack secure sockets layer (SSL) are public, making any VPN suspect. OpenSSL has issues that have been recently released.

My real problem with all of this is that the issues get publicized before they get patched. I belong to various “tell all” sites that release sensitive information about devices and their foibles. This includes the big guns such as Siemens, Rockwell Automation and Cisco, to name a few.

Their products have bugs and attack surfaces that are easily broken by those who know. And some of these issues have been around for years. How many times have you received an alert from a vendor telling you there is a security bug in their firmware but not to worry about it? “No one will know how to access our PLCs.”

Project SHINE (Shodan Intelligence Extraction) gives us a view into the number of devices that are exposed on the Internet. This is a direct connection to the World Wide Web. Are we nuts?

Vendors who are giving us the opportunity to access our PLCs over the Net using open-source code from virtual network computing (VNC) and others are being totally irresponsible, if I may say so.

The users that are actually doing it are worse.

So, let me share with you my history lesson. In the 1980s, we had PLCs and mini-computers with modem access. We moved to Windows 3.11 (networking), which brought homegrown networks into play. You didn’t have to have a Novell expert on staff. But the IT guys didn’t like this much because the maintenance department could spark up its own network. Engineering workstations were born to support the ever-growing amount of hardware and automation.

And the world was still a safe place. Then came Windows servers, networking and desktop boxes with big power. We moved the computing power from the server to the desktop. And we were still safe. But wait.

The Internet solves it all. Let’s put everything we have on the Net. We can access it from anywhere, and it will solve many problems. Well, we now know that it amplifies the problems.

I submit that we need to allow the IT guys to secure the perimeter as normal. No one will be able to control the remote endpoints, this includes VPN users accessing remotely. So, why bother trying?

Turn the clock back 10 years. Secure the perimeter again, and leave remote access to MobiKey. What this technology does is unreal, and I find it very odd that no one knows about it.

If you use a desktop in your office that runs Windows, then you can access that desktop securely on any device using MobiKey. It removes all endpoint issues on any device, such as smart phones, iPads, laptops and home computers, that people would use to access assets behind a firewall with a VPN, which can no longer be assumed to be secure.

Android is the biggest threat to BYOD, and MobiKey solves it. Why are we trying to complicate the issue of simple remote access and cause the system to be systemically flawed?

I get more than 100 alerts every day regarding cybersecurity-issue stories and how-to articles. It’s scary that we think it’s OK to use a VPN on the laptop that your teenage son uses to go places he shouldn’t, and then it’s used to join your company network through an open port and becomes a node on that network allowing many potential issues to arise.

ICS-CERT states that, "VPNs are only as secure as the connected devices."

For our industry, reduce the landscape, use MobiKey and fuhgeddaboudit.

About the author
About the Author

Jeremy Pollard | CET

Jeremy Pollard, CET, has been writing about technology and software issues for many years. Pollard has been involved in control system programming and training for more than 25 years.