A couple of days ago I wrote about a reader who was debating the term “control” in SCADA and then referenced an analysis of the development of control by Eric Byres at the Tofino Security blog.
Yesterday, Byres’ colleague, Erik Schweigert, added a post about the development of PLCs relative to security. There are some interesting thoughts about “what if they had designed for security” and the like.
As we incorporate commercial microprocessor technology into our process control and increasingly network these controllers, we then open ourselves to cyber attack. Companies can, and should, design in additional security measures. But my experience from time spent in product development and quality assurance tells me that we really cannot 100% save people from themselves. If we don’t have sufficient training and procedures, we will increase our risk of exposure.
Yes, people are a big problem, for example, see this post by Jeff Attwood which says that "social engineering" succeeds when other attack methods fail.