Hard hat vs Black hat - the hype versus reality

Jan. 1, 2000

The issue of critical infrastructure protection, or control system cyber security, is getting to be more popular with the mainstream IT community as demonstrated by the number of presentations at Black Hat. The issue is really separating the real issues from the hype. The first and most important point is that the control systems used in almost all industries were designed for reliability and safety and do that very well. They have reliability numbers of far greater than 99% and operate for as many as 10-15 years. They were not designed to be secure and therefore aren't. That should not be a surprise but apparently it is.

The issue of critical infrastructure protection, or control system cyber security, is getting to be more popular with the mainstream IT community as demonstrated by the number of presentations at Black Hat. The issue is really separating the real issues from the hype. The first and most important point is that the control systems used in almost all industries were designed for reliability and safety and do that very well. They have reliability numbers of far greater than 99% and operate for as many as 10-15 years. They were not designed to be secure and therefore aren't. That should not be a surprise but apparently it is.

Black Hat caters to the hackers and security researchers primarily from the IT community as well as the press. It does not cater to the control systems engineers who maintain and operate these systems. Many of the more sensational presentations do not represent what is actually used, or how they are actually used, in control system environments. The wireless oil industry hacking presentation was an example of hacking a protocol that is generally not used by the oil industry. The protocol that was hacked, Zigbee, has known vulnerabilities and is used in home area networks for smart grid, not large industrial applications like pipelines or power plants.

Kyle Wilhoit's presentation on ICS honeypots was terrific and demonstrates a point that is too often overlooked. A small end-user can be a target because they are small. Several years ago, the "Illinois water hack" was pooh-poohed because many questioned who would want to target a small water utility in central Illinois. Kyle's presentation demonstrated there are many "nation-states" and others actively trying to hack a small water utility in Missouri. This is important because a small water utility has the same control systems as a large power plant or refinery. Moreover, a small electric utility is also connected to their larger neighbors making them a back door into the larger utilities.

It is not difficult to demonstrate the sky could be falling. It is more important to know if the demonstrations have relevance to critical infrastructure applications.

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...