Recently I’ve attended a few training classes/sales pitches on some new field devices coming into the market, and a trend that I’m seeing is more and more of them are being built on x86 processors running embedded Windows operating systems. A lot of things can come from this trend, more features, a larger pool of operators/developers, better integration with other devices, to name a few, but there are also the disadvantage of more exposure, both in the increased likelihood to be connected to business networks (directly or indirectly) and in attackers increased knowledge of the platforms. Not to argue for security through obscurity, but to a network scanner the difference between various Windows systems are minimal and even if the control system components aren’t being targeted, a few wrong turns on the corporate network an attacker looking for HR information could be throwing some nasty stuff at your devices.
The problem here however is not that these devices are getting more powerful, or more feature rich, far from it, it’s that those responsible for administering the devices might not even be aware of the issues this would bring. An analogous situation happened on the corporate side of the DMZ not too long ago, a worm called “Code Red” was running rampant through many networks and printers were being knocked over (Xerox and HP if I remember correctly) due to them running what was essentially Windows 2000 sp0 and an upatched IIS server. In many cases those managing the printers had no idea that the systems were vulnerable, and if they did there was no patch available from Xerox or HP, even though it had been patched from Microsoft more than a month before. This is another vital reason to regularly examine your networks for any unneeded services.
I see a lot of similarities between PLCs and cellular phones, until very recently they’ve both been by most standards “dumb” devices, but now there isn’t a whole lot that your desktop computer can do that your cell phone can’t. And where previously they were locked into one network and only worked with your service providers’ services they’re now active on many different types of networks and connecting to all sorts of other devices. The cellular phone companies have had to put a lot more thought into security (on both ends) that they had to in the past, and their networks are no longer just a single protocol but a vast array of different ones often intermingled and layered on top of one another, and they’re still trying to figure out patching too.
In the end its about everyone in the chain, from the upstream providers (be it MS, vxWorks, etc) to the vendor and on down to the end user themselves to be as knowledgeable about the features, risks, and mitigations provided by each layer as possible. As our field devices get smarter and more interconnected the management of those systems will be necessity become more complex. The only thing worse than not being prepared to address a risk is not knowing about it.