I attended the ARC Forum in Orlando Florida. The title of the forum is “The Digital Enterprise,” but it’s mostly about what’s going on with automation security. I’ve attended a number of talks and panel discussions and am dismayed by a lot of what I am hearing. I’ve put together a list (in random order) of the kinds of things I’ve heard so far.
Note 1: There seems to be a rush of companies jumping at the opportunity to cash in on the security fears of automation companies. There are myriad solutions. Lots of claims. None that are verifiable. Everybody says they’re the ones that can solve your security concern.
Note 2: Marty Williams from Homeland Security made a point I really liked. It was very simple and in today’s world, simplicity is not seen as a virtue. Marty told automation companies to evaluate their core processes, pick the one that is the most critical to life safety, the economic vitality of the plant, or most difficult to replace, and take it offline. Yes, completely disconnect it from the Internet and business networks. Essentially, hide it. Use a sneaker-net transfer of data in one direction only. His reasoning is that nothing can really be protected. If there is a well-funded organization or a nation-state that desires to penetrate your process, they will do so. They will use your people, your suppliers, your systems, or your technology against you in some fashion and they will succeed. You can’t stop them. You have to take the most critical pieces of your process offline. And that’s from Homeland Security!
Note 3: We haven’t really accomplished anything in the last ten years in our security efforts. We’ve succeeded in connecting everything. We’ve eliminated all the islands of automation but we haven’t made the equivalent progress in making anything more secure. Partly because of the problem I alluded to in the last note, but also because we just haven’t focused on it. We haven’t trained people well. We are implementing weak security measures and vastly overestimating their effectiveness. Our efforts as an industry are weak and ineffective.
Note 4: One of the attendees made the most intelligent remark that I heard. He said the problem with the automation industry is that we haven’t built security into the architecture. He mentioned Bitcoin and the Blockchain concept. When the original designers began thinking about Bitcoin, they thought long and hard about how to incorporate security into it. They had to. You can’t have a digital currency that isn’t secure. They developed the Blockchain infrastructure where all the transactions build upon one another. When I send Emily five Bitcoins, the block recording that transaction is locked in using the hash result from a hash of all previous transactions. Emily, as deceitful as she is, can’t change that five Bitcoin transaction to 500 Bitcoins without changing all the previous transactions. And, since that Blockchain is duplicated on thousands of machines, she would have to have massive computing power in order to change all the Blockchains on every computer all over the world.