Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Eric Byres
Industry needs to quickly come to terms with the bring your own device (BYOD) trend if we are ever going make our plant floors secure.
Let’s start with mobile devices, especially personal mobile devices, showing up on the plant floor. Never going to happen you say? Don’t be so sure.
First, a definition. The topic of personal mobile devices is referred to in the corporate IT world as “Bring Your Own Device” or BYOD. If you haven’t heard of BYOD, Wikipedia defines it as: Bring your own device (BYOD) is a business policy of employees bringing personally owned mobile devices to their place of work and using those devices to access privileged company resources
A common example is using your personal iPhone to access your company’s email system. And as I will explain later, the iPhone is only the tip of the iceberg. The whole BYOD phenomenon is a major concern throughout the corporate world.
An iceberg is a good metaphor for the onslaught of this technology. When dealing with an iceberg, pushing against it or ignoring it generally aren’t effective options. It is bigger than you are and will go where it wants. The best you can do is to try to manage it.
Most IT departments are beginning to accept the inevitability of BYOD. According to a one study, the majority of companies surveyed said they are now adapting their IT infrastructure to accommodate employee’s personal devices, rather than restricting employee use of personal devices.
What about the plant floor? Will tablets soon be standard equipment in the refinery? Or will they be banned from moving outside the corporate office?
When engineers are asked to identify their unfulfilled industrial networking desires, the number 1 item is: “Connecting to the factory with a smart phone”.
I have discussed in the past that in any war between security and productivity, security will lose. The situation is no different here. Smart phones are coming to the plant floor. The only question is “Will we adapt to this new world in a secure way or will it be another source of insecurity”?
One option for the mobile device question is to just ban them outright. There are cases when this might be appropriate (explosive environments for example), but generally outright bans rarely work the way people want them to. One of the reasons is we have a tendency to see technology only in terms of what is available today or what is popular. This results in narrow definitions of a specific technology that lets other technologies slip through. For example, an iPhone is clearly a mobile device, but what about a personal USB keyboard or mouse that an employee brings in, perhaps for health reasons?
Sometimes a “mobile device” isn’t even a device at all. Consider a CD that contains a Stuxnet-infected S7 ladder logic file. Or an automated forklift that moves from site to site. At the extreme end, many people know we have been working with Boeing for the past few years – they have large mobile devices called 787s. What is important to remember is mobile devices can range from a CD with what appears to be an innocent document file, to the obvious iPhone, right up to entire mobile platforms.
The only way to address this range of evolving “mobile” technology is to use the Zone and Conduit concepts promoted in the ISA/IEC 62443 standards. Properly done, zone and conduit security can result in operational requirements that define a security process, rather than proscriptive requirements like “Mobile Devices should not be used on the plant floor.” Restricting devices seems simple and comforting, but since this is so narrow, restrictive and inflexible, it encourages inventive staff to find ways around the rules so they can do their job.
Recently I talked to a customer with a very innovative way to manage Wi-Fi-capable mobile devices on his factory floor. Instead of banning wireless technologies (something that is hard to enforce if you have a lot of contractors), he actually set installed Wi-Fi access points throughout the manufacturing areas. Then he routed all the access points into a “Captive Portal” – one of those locked down web pages you run into in hotels and airports.
This Captive Portal strategy had multiple benefits – first he immediately had a record of who was trying to use Wi-Fi in his factory. Second, by forcing all employees and contractors to log in, he could track exactly what they were doing and when. Then, based on each user’s log-in credentials, he could restrict network access to specific systems in his factory. For example, a contractor working on the Finishing Line could be restricted to only seeing the Finishing Line PLCs. And finally, by using deep packet inspection, he could force the contractors into a view-only mode by blocking all PLC write and programming commands.
Information technologies are changing constantly. Trying to manage them with proscriptive rules is a hopeless task, because we can never keep up. Instead we need to work from general principles. For example, the definition of mobile device can expand from specific technologies (such as cell phones) to a definition based on their general functionality. For example, one proposed definition is “non-fixed location digital information storage or processing devices”. That covers basically anything that can contain an electronic 1 or a 0 and isn’t bolted down.
Once we have our definitions set, we can move onto determining what actions we want to manage. The example with the captive portal showed how all Wi-Fi devices (rather than subsets like laptop or iPad) can be managed in a uniform manner. If we stick to those principles, I believe we can have mobile devices and security at the same time.
Eric Byres is vice president and chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog and to download the white paper.