The newly appointed “Cyber Security Czar”, Howard Schmidt recently noted that he considers smart phones and such devices one of the largest areas of concern for cyber security. Saying “What they’ve been attacking on the desktop they’ll starting attacking in our mobile devices as they become more like PCs in our pockets. We can’t wait five years to do something about it. We have to do something now.”
This resonated with me as I posted a similar line of thought when a virus for iPhones was making the rounds in November. As our mobile devices converge in abilities with our desktop devices they become a growing attack vector. New smart phones are running applications and have processing capabilities rivaling those of PCs of just a few years back.
The use of smart phones in a control system environment is not a decision which should be entered lightly. The threat surface to these smart devices is actually greater than in the clunkier desktop devices. They have all of the cyber pathways plus an added layer of physical security weakness, extreme portability. The physical security advantage goes to the desktop PC as it is less likely to fall out of your pocket in a public place.
If such a scenario were to occur and a scada enabled pocket sized smart device was inadvertently dropped by an employee, what are the potential ramifications?