Jeremy Pollard, CET, has been writing about technology and software issues for many years. Pollard has been involved in control system programming and training for more than 25 years.
U.S. Department of Defense (DoD) Deputy CIO Major General Robert Wheeler's keynote speech at the 2013 ISA Automation event talked about a "Joint Information Environment" of internal and external customers having infrastructure collaboration. I'm quite sure he didn't mean this.
Trying to secure 3.7 million local and remote DoD users across the globe and provide the services and access to digital assets is a daunting task.
How surprised were you when you read about the Target corporate site getting hacked, and personal information flying out the door? Most people didn't pay much attention, because who cares if they steal credit card info or not? But we have to, and we have to do it now.
The ongoing saga of control networks being separate from the "other" network has its proponents and opponents. But when our industry gets blamed for trouble on the other side of the fence, we need to take notice.
The Target breach of security came at the expense of Fazio Mechanical Services (according to krebsonsecurity.com), which could be any one of many machine builders, service companies or individuals.
It seems Fazio had security clearance to have access to the corporate network to monitor and control HVAC systems at various properties—a common practice to save costs during off hours and holidays. The hackers stole the credentials from Fazio to gain access to Target's system network. Problem #1: The security of the third-party systems must be at the same level as the target system (no pun intended). Was it?
Fazio stated that its IT system and security are in full compliance. Then what went wrong? While the headline reads "Target Hacked," in fact, it was Fazio, HVAC contractor, hacked, and the door was opened to Target, since the hackers had the key, according to Yadron and Zioboro in The Wall Street Journal on Feb. 5.
Here's why corporations have a problem with remote access. No one seems to be able to lock down systems, encrypt data or keep that auto logon box unchecked on the RDP connection.
This a major issue. How can any corporation trust that credentials given out won't be used improperly? The solution seems easy: Don't give them out. Target's IT department might also be at fault, but it could be oblivious to what an industrial connection can do. Does staff think they're invincible because they're running a free anti-virus program?
Remote access is a big issue that has yet to be solved.
Michael Bush, senior technology manager for control architectures at Rockwell Automation, confirmed that most systems in customer's hands use those same compliance standards that Fazio did. "There is no silver bullet," he says, referring to the security issues surrounding remote access.
I've talked about MobiKey from Route1, which has two- and three-factor authentication for remote access. That addresses Bush's major point, which is the lack of definition of entry point. Where does the remote connector actually connect to?
Firewall access, full network access or point-to-point (such as PC Anywhere in the good old days) can help define the function of outside connections.
Bush says many Rockwell customers allow backdoor access to the PLC and SCADA systems for third-party suppliers. It can help with service costs and downtime costs. But with all the players, it creates the entry point issue. Where does the backdoor lead to?
Bush states that Rockwell has to know as much as it can about the systems with which it interfaces, and trys to help those customers with their security needs and wants. But Rockwell isn't in the business of supplying those systems as such.
Target will have to spend $500 million to recover from this breach. Fazio won't be writing a check for that, I'm sure. Target has insurance, but the damage done to the credit card user psyche might be tough to overcome.
Bush suggests that most companies rely on entry point security such as Cisco routers, Juniper firewalls, and front-end infrastructure. That is way outside of scope of any machine builder that simply wants to connect to his machine or cell to provide service. If the service contract assumed remote access, one wonders what the repercussions would be if that remote access required the use of an ironclad protection agreement from the supplier to the customer.
Target and Fazio have opened up a whole new world. Not sure it's all that comfortable a place.