What are We Doing

By Lisa Vaas  |  Posted 2007-10-23 Print this article Print

Wrong?"> What are we doing wrong when it comes to securing these systems? The operator interfaces—where you see pictures of control rooms and whatever—the screens, thats Windows. Or Unix. Or Linux. You can secure that the way youre used to having systems secured. The devices that basically feed those interfaces—the actual controllers, the sensors, the things in the field—are not Windows. They dont have secure operating systems. They are very computer-resource-limited. You cant do or apply the type of things you would to secure Windows.
What people have done is theyve taken the normal approach, the old CIA approach with confidentiality, [etc.], and in the traditional computer world, [where] the thing youre most concerned about is confidentiality.
You spend your time trying to develop encryption. If you want confidentiality, you dont want people to be able to read things. Doesnt matter how many times you send things, as long as when it finally gets there, nobody could figure out what your credit card number was. In a control system, this thing has to operate within milliseconds. If you send something and it doesnt get there or it gets misinterpreted, bad things happen. Either things malfunction or it shuts down. So rather than keeping these control systems from revealing data, as is the concern in data security, we should be more worried about being able to determine if commands coming in are legitimate? Were concerned that wherever this data is coming from is where it said it came from. We care if output is 60 percent and not 6 percent. Thats what we care about. All this work on encryption is good, but its not all that relevant. Wheres the work on authentication and integrity? Theres very little [of that work being done]. So what youre saying is that security just doesnt translate well from the PC world into the system controls world? [Right.] Another thing is that we use different protocols. Were not just IP. You dont have all day to do a stateful inspection and try to figure out whats in there. Its very different. The technologies we need are specific to these systems. And we dont have that many people who know these systems. We have people developing Windows firewalls for control systems. How many of those do we need? Not many, Id think. Were not getting the things developed that we need developed. First and foremost, these systems need to be treated with at least as much security as you treat your mainstream IT systems. And thats what theyve refused to do. The industry? Neither NERC [North American Electric Reliability Corp.] nor the utilities are. They have refused to address [these issues]. Were trying to force the issue, myself, NIST [National Institute of Standards and Technology] and some others. NERC and the industry have made clear they dont want it at all. This whole thing is forcing what they didnt want to have happen. Some of it isnt even programming. A lot of it is getting the people who run these systems to work with people who know security but not control systems and come up with teams to do this. The bottom line is that the utilities simply dont want to do very much, and, consequently, what theyve done is written a standard that provides all sorts of exemptions and exceptions and ambiguousness so they can do as little of what they consider necessary and not have to do anything. Next page: How Does the Industry Get Away With Doing Nothing?

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel