Not a day goes by without news of a new computer security threat. Whether it’s the Stuxnet virus, a hacker gaining access to consumers’ credit card numbers or social security numbers, or companies and government agencies reporting network security breaches, our increasingly interconnected world makes us more vulnerable to these kinds of threats.
But the industrial networks that we design, build and implement in factories, mines, refineries, and nuclear power plants, those are safe and secure, right?
Well, maybe not as safe as we thought.
Recently, the computer security blogger Brian Krebs reported that the Department of Homeland Security (DHS) had issued a warning about the vulnerability of industrial control systems (ICS) to hacking attacks. Specifically, it cited a published report revealing undocumented software backdoors in many common control systems from some of the largest control system vendors including GE, Rockwell Automation, Schneider Electric and Koyo. The report was based on findings from security vendor Digital Bond.
Digital Bond, along with a team of volunteers, has initiated a research effort named Basecamp to locate and document security flaws in ICS devices. You can see the results from some of the tests they’ve performed on some fairly common PLCs here.
A PDF on tips for improving security from Rockwell can be found here.
An online security webinar from Schneider Electric is here.
A more cynical take on reports such as this is that they are an easy way to pray on fears and drum up business for companies in the computer and network security business. Supporters argue that if there are such gaping security flaws in so many industrial control systems, then why haven’t there been any reported incidents of systems being hacked into and causing extensive damage or injury?
I’d like to hear your thoughts. Do you think these are legitimate concerns or are they overblown?