Despite the lesson of the Stuxnet virus, it is easy to get a malicious piece of code inside most industrial plants, says a system integrator who should know.
Despite the fact that the Stuxnet virus made headlines when it attacked programmable logic controllers running Iran's nuclear centrifuges, a similar attack on industrial facilities in the U.S. would be remarkably easy to pull off.
That was the take-away I got from a session during an event called the Big M, organized by the Society of Manufacturing Engineers. The cyber security panel included Bruce Billedeaux, a senior consultant at Maverick Technologies. Maverick is a systems integrator that does a lot of industrial control work. Billedeaux remarked that though there's more sensitivity to cyber security issues today, it would still be relatively easy to compromise computer-controlled equipment in most industrial plants. "I have never been asked about the contents of the computer I bring into a plant," he said. Ditto for the USB sticks he occasionally brings in. That's worrying because once the bad guys have gotten behind a plant's firewall, they can exploit the firewall to do a lot of damage, he says.
It seems that third-party support of plant-floor equipment has been a blind spot for a lot of industrial cyber security efforts. "There is almost no outbound protection for industrial equipment in a lot of cases," Billedeaux said. "No one has validated the person on the other end of the line. If you have a VPN coming into the plant, most facilities have no idea whether the remote machine has been compromised or not."
And here is a scenario he outlined that, I noticed, had several audience members shifting in their chairs uncomfortably: Suppose it is late at night and you are trying to get a line up and running quickly because downtime costs thousands of dollars a minute. But you are missing a critical piece of driver software and the manufacture's web site is down, so you can't download it. You start searching. You eventually find the driver somewhere else. But if the site with the driver sits is a domain that looks something like ***.ru, are you still going to download that driver? And in the heat of the moment, will you take time to scan it first?
Billedeaux's message was that manufacturers have to plan ahead to avoid sticky situations like this.