Computerworld - When an employee from an Australian company that makes manufacturing software got fired in early 2000, he applied for a job with the local government, but was turned down. In retaliation, he got a radio transmitter, went to a nearby hotel where there was a sewage valve, and used the radio to hack into the local government's computerized waste management system.
Using software from his former employer, he released millions of gallons of raw sewage near the hotel grounds and into rivers and parks.
"He did this 46 times before he was caught," notes Joe Weiss, a process-control cybersecurity expert and consultant at the Cupertino, Calif., office of Kema Consulting. "The first 20 [times], they didn't even know it was cyber," meaning an external attack launched using a computer, he says. "From 20 to 45, they finally figured it was cyber, but they didn't catch him until 46." Though this person never worked for the wastewater utility, he was still able to break into its supervisory control and data acquisition system, which was designed with a big security assumption in mind -- that only insiders would want to access it.
Hundreds of thousands of similar process systems and networks used in dozens of industries worldwide remain dangerously vulnerable. And like it or not, IT managers need to address this problem despite three enormous challenges: the traditional barriers between IT and the engineers who typically run process networks, the highly customized nature of process applications, and the lack of security software for process applications and networks.
Historically, IT has had little, if anything, to do with process-control systems, because they run reliably and rarely crash. Instead, IT focused strictly on corporate data networks. But that needs to change, experts say.
Process-control networks are to manufacturing environments what IT is to an office -- endemic. For example, more than 2,400 oil, natural gas and chemical companies in the U.S. employ process-control networks in their manufacturing systems. Other heavy users of process networks include the power, water, food, drug, automobile, metal, mining and manufacturing industries.
For example, process networks in the chemical industry control chemical-making equipment and monitor sensors. If anything goes wrong, such networks react by adjusting the environment in predefined ways, such as shutting off gas flow to prevent leaks or explosions.
One company that's taking process network security seriously and involving IT is Du Pont Co. in Wilmington, Del. Tom Good, a project engineer at the chemical manufacturer, has been leading its 20-month-old effort to categorize and reduce its process-control
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
