There has been a lot of talk recently about the "Internet of Things" (IoT). And I have written previously about IoT and the security concerns that I had. Then I ran across this article Cyber attacks becoming greater threat to refinery control systems in Hydro Carbon Processing taking about how control systems are becoming more vulnerable to outside attacks. To me it was fairly obvious that security would become a concern as control systems and equipment start become connected to the Internet, and that the benefits of the Internet of Things start driving this connectivity. After all we still see a number of security break-ins to companies and corporate & personal data stolen whether by nations or by other criminal parties. So I expected cyber attacks on connected systems.
What triggered me to write this blog was this:
"The virus entered the network because a third-party technician used a USB drive to upload software updates during a scheduled outage for an equipment upgrade. The USB drive was infected with the Mariposa virus, and the infection resulted in downtime for systems and delayed the restart of the plant by three week". Mark Bristow - US Department of Homeland Security
A very costly mistake.
I have been in IT for many years, starting with mainframe equipment, and as technology progressed moving to the PC world and into integration with control systems. Through out my career I have been consistently lectured on security (passwords, updating anti virus programs, don't click just on any link, etc.), so I have a tendency to think that the treat will come electronically via the "net". This article was a reminder to me that the treat can also come the "old fashioned way", via attachment of a contaminated physical device. In this case the attachment of a USB to the network. To counter this we need to ensure that every device either does not have the capability to be updated via an attached device or has the ability to automatically scan any attached device for potential threats. And it is not just the USB type of treat we have to watch out for, new equipment can be delivered with viruses already installed (e.g. some Seagate drives in 2007).
So I wonder:
Could this or has this happened to you?
What policies do you have in place to control people attaching external devices to your network?
In fact to you even allow people to attach unknown devices to your network?
Do you scan new equipment (fresh from the manufacturer) for potential threats before attaching them to the network?
Are you worried about the impact the Internet of Things could / will have on your network / control system security?
What are you doing to resolve / control these and other cyber security issues?