Today’s press release from an unnamed company (to protect the innocent of course) has driven me to zombify the tired “all you base” internet meme. In our ever growing drive to trade security for ease of use and convenience you can purchase micro devices that plug into your RS-485 lines and on one end, encapsulate your previously somewhat protected serial comms into nice TCP/IP packets, and send them across your ethernet network to the other end where they are decapsulated and passed back serially to your field device. Sounds nice at first glance, allowing you to use existing twisted pair wiring, until you look at it with a security perspective.
These communications which were previously somewhat protected from the majority of IT based attack vectors are now exposed to the same packet tampering, replay and data spoofing attacks of any other TCP/IP communication. The protocols are not unknown, serial Modbus being an example where documentation is available and an educated attacker could now readily tamper with the data. From a hacker’s perspective, the more perviously tough to get at serial back plane communications now encapsulated in TCP/IP the better.
Upon reading the press release I dug up more info on the product hoping to find some assurance of packet hashing or encryption.
At S4, one of the break discussions I engaged in was how much would it cost manufacturers to upgrade CPUs in forthcoming devices to CPUs that would support full packet encryption, without adding latency into the communications pathway. The consensus was from a pure manufacturing stand point, less than $5.00 a device. While this doesn’t account for the additional R&D and testing such a product would require it does beg the question:
When will we stop trading ease of use and the saving of a few dollars in product development for actually producing products where security is one of the driving design principles?