‘Security Through Obscurity’ Doesn’t Work

Tuesday, October 18, 2011 @ 05:10 PM gHale

By Nicholas Sheble
“Historically we controls engineers were concerned only with reliability. The environment has changed,” said Murray McKay, principal application engineer at Siemens Industry.

That could be an understatement in the present environment of Stuxnet and massive Internet intrusions and bank fraud.

Eavesdropping on Hacking Site
Open Source WineHQ Breached
Cyber Threats Forecast for 2012
Firms Hacked and Don’t Know It

“All systems are available to the Internet. Even air gaps don’t insure that viruses don’t get into our facilities anymore. USB sticks are, as best we know, how the Stuxnet worm was able to propagate itself,” said McKay, referring to the ubiquitous memory devices that we carry in our pockets and stuff into our work computers.

“Security-by-obscurity no more,” McKay said.

McKay spoke last week during the the Siemens webinar “Best Practices for Increasing Security of an Automation System.”

Historically, automation systems have relied on “security through obscurity” to avoid computer attacks. Those days are gone.

While the number of actual attacks on automation systems has been small, the tools needed to conduct these attacks are now loose in the wild and the potential losses from an attack are large.

Requirements for MIS (management information systems) and MES (Manufacturing Execution Systems) integration with the control system, as well as program backup and maintenance activities, eliminate the possibility of security through lack of connectivity.
McKay discussed key steps that can help protect our control systems against threats including:
• Identifying key security risks to a control system
• Designing a network that complies with ISA99 recommendations to place barriers between external threats and your control system
• Deploying a “defense in depth” strategy by using existing (or easily added) features to limit risks
• Configuring security options on control system equipment to erect further barriers to attacks
• Creating and adhering to operating policies to limit threats from non-network sources

McKay offered several control systems-related sites for the viewers’ consideration including his own company’s sizable offering:
Industrial Security
Cross-Vendor Position Paper on the ICS Security Posture
Control Systems Security Program (CSSP)

McKay also recommended standards from these organizations as those from, which those concerned with industrial control systems, would most likely benefit:
ISA99, Industrial Automation, and Control Systems Security
Guide to Industrial Control Systems (ICS) Security
Industrial communication networks – Network and system security – Part 2-1: Establishing an industrial automation and control system security program

Nicholas Sheble (nsheble@isssource.com) is an engineering writer and technical editor in Raleigh, NC.

Leave a Reply

You must be logged in to post a comment.