The first few weeks of May were Security weeks at The Manufacturing Connection. In preparation for the May 17-20 RSA Security Conference, I interviewed Ron Brash, Director of Cyber Security Insights at Verve Industrial. This was supposed to be an introduction to his talk at the security conference, so I didn’t take detailed notes. Unfortunately, 10 days later I discovered that my pass to the conference was “insecure”, and I could only view keynotes. I was blocked out of Brash’s presentation (which I’m sure was very good).
We talked about how control engineers and vendors were historically lazy about security. If anyone thought about it at all, they figured that not being connected outside was sufficient protection. (Although I might add as a side note a customer story. I sold a certain prominent brand of PLCs in the mid-90s. My top customer was a major automotive engine plant, who, unfortunately, used a rival PLC. However, I thought I might have an opening when I walked into the control engineering area of the office and saw everyone gathered around a PC. It seems that an update from my rival contained malware. It infected all the PCs. So, even in the early days there were security holes.)
Brash noted that the advent of IIoT to the Cloud punched a hole in the supposed safety gap opening up a potential security intrusion path.
He also talked about the need for a good asset inventory, as well as, a solid management of change program.
Following are some notes from his blog:
Imagine for a moment flawless code. Picture the most technologically complex system operating without issue. Conjure a single, silver-bullet solution that will save humankind from itself. Hard to imagine, right?
Thanks to the way devices are designed, engineered, developed, maintained, and sold, embedded systems, like any other enterprise computing product, will be flawed. While there have been major improvements in code analysis, fundamental software design problems continue to slip through into production. Most programmers remain woefully inept at making good security decisions in the development stage and profit-motivated vendors have little appetite to address that shortcoming.
If you’re now panicking at the scope of embedded systems insecurity, take heart. Not all devices are easily exploitable or they are exploitable only under certain conditions largely affected by how you deploy and configure them.
One key to addressing the challenge is to get ahead of the embedded security problem before it gets a foothold in the organization. Owners must insist on robust security during procurement, design of solutions, and throughout cybersecurity factory acceptance and site testing. This way, OEMs and vendors will learn they cannot continue unchallenged. Trust, but always verify.
As a community, we should not let poorly secured products gain traction in the market. We must demand security as a necessary feature. Software engineers and developers take note – even if you are a cog in the machine, we are all affected; especially when embedded devices become integral to the systems responsible for our lights, our water, our health, our daily lives.
RSA Security Conference
Twice this month I have heard the famous World War II airplane analysis cited as an example. It seems that the Allies were losing a large number of bombers flying over Germany. So, the generals commissioned a study. The analysts studied the planes returning from their bombing runs plotting where all the bullet holes were. The thought was to add additional armor to those areas to protect the plane.
Then someone with a broader vision noted an obvious fact—all of these planes made it back. All the bullets had struck nonessential areas of the plane. What needed additional protection were the other areas.
The first keynote pointed out these important thoughts:
- Use a risk-based approach—Protect the areas with the greatest risk
- Zero trust
- Segment networks
- Prepare for chaos
This was followed by three points:
- Security risk feature out of focus—prioritize
- Legacy systems slowing us down, need for thought diversity
- Security is not a solo sport
Or, as Angela Weinman of VMWare summarized:
- Zoom Out
- Throw Out
- Reach Out