I learned via @jimcahill of Bob Huba’s presentation on a new smart firewall offering at the Emerson Delta V Global User Exchange and was eager to learn more. An article on ControlGlobal has limited details on it, but more interesting was the step back in time by Emerson. Rather than try to describe Emerson’s viewpoint, read it for yourself.
“When we asked customers about security and DeltaV, they asked if they could use Linux and get away from Microsoft, but we think that’s pretty unlikely. They also want purpose-built security tools, so they also can get away from commercial off-the-shelf devices that are more prone to being attacked,” said Huba. “But users really just want to know that their installations are secure at all times. However, they don’t have time to be bothered by security because they’re too busy keeping their plants up and running. Unfortunately, they say they can’t afford to hire security experts. They also want lowest-cost maintenance, and they can’t spend all their time patching systems, but they still want to limit their IT department’s efforts in this area.”
Huba reported another major problem is that most users simply are not installing software patches to repair security vulnerabilities and defend against viruses and other malicious software. “We hear that no one is installing Microsoft’s patches because they’re worried the patches will cause problems and delays in their operations and production. They’re worried the cure will be worse than the disease.”
There is so much wrong with this approach and sentiment. If you don’t want to have any IT or IT security efforts then don’t install a modern network, computers and modern controllers. Go back in time and hire back all the operators and technicians that automation allowed you to release. Pass the information from the control system manually to the corporate network on a handwritten pad of paper.
Does an owner/operator expect to have no maintenance on any other piece of equipment? You have to understand the lifecycle costs of anything you rely on in a plant.
The Linux comments are troubling as well as they imply that a move to Linux would eliminate the need to apply security patches and other security issues.
Bob is not a newcomer to control system security. In fact he was one of the first on the scene at early ISA 99 meetings. However, somewhere the Delta V team seems to have lost its way. This also shows how big companies can have very different security approaches in product lines. The Emerson Ovation team is very proactive actually deploying and reselling some leading edge security products in control systems. And if you can forgive me for a Stuxnet reference, there are some product lines in Siemens that have an active and competent security program.
There are a number of control system vendors that have solved the problems that Emerson seems to be calling intractable. They are providing their customers with information and tools to secure their control systems. They are teaching them why security is important and cajoling them to integrate it into their procedures. Bob’s comments seem to indicate that the Delta V team thinks these solving Security 101 problems is impossible or impractical.
Delta V Firewall
After that tough love, I’m encouraged by the limited information on the smart firewall offering. Emerson is working with Wurldtech [FD: a past Digital Bond client] to identify and deploy a custom configuration for the Delta V network. This makes sense since control systems, particularly a system like Delta V where Emerson provides all the software and hardware, have relatively limited and unchanging network traffic.
It sounds like the smart firewall will combine a traditional firewall ruleset with some specialized signatures in an IPS approach. This could be an easy to install and manage solution that is even more effective than a traditional perimeter security solution.