Industrial security gets a Linux lock

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1009_3-1015389.html

By Robert Lemos 
Staff Writer, CNET News.com
June 10, 2003

Control-system specialist Verano has introduced a service and software
package to help companies protect their critical infrastructure from
digital attacks.

The product, dubbed Industrial Defender, aims to close holes in the
security surrounding control systems used by utility companies,
manufacturers and other industries. Verano announced the first piece,
a network monitoring appliance and service, on Tuesday.

Moreover, unlike Honeywell, Siemens and many other companies in the
industrial application market, Verano doesn't build its products on
top of a special version of Microsoft's Windows operating system, but
on a security-enhanced Linux (SELinux) system. Originally created by
the U.S. government's military security agency, the National Security
Administration (NSA), SELinux adds advanced security technology to
further lock down the Linux operating system.

"Most of today's (control) systems were installed in the '80s and
'90s, and weren't designed with security in mind," said Brian Ahern,
CEO of the Mansfield, Mass.-based control-system management and
security company. Ahern cited penetration tests by Verano's partners
that indicate the network security around industrial control systems
can be breached in as many as 90 percent of cases.

The package is an early effort to target an often-overlooked part of
corporate networks: the control systems that monitor and maintain
factories, energy plants and other industrial infrastructure. Such
networks--the two common types being Supervisory Control and Data
Acquisition (SCADA) networks and Distributed Control Systems
(DCSs)--have come under intense scrutiny after the Sept. 11 terrorist
attacks, as they could be weak points in a strike against critical
components of the U.S. infrastructure.

While "cyberterrorism" has been the rallying cry of policy makers
seeking stricter laws to punish hackers, and of government agencies
asking for more funds, the chances and effects of any such attack have
been greatly overblown. Instead, Ahern said, Verano's new service and
software aims to protect a company's operation from the deleterious
effects of a simple cyberattack.

"Any industries that are operating in a real-time market can't cut the
cord and isolate themselves," he said. "They have remote dial-in
capabilities for their remote engineers and have to have a way to
guard those entry points."

While enterprise network security services do exist, the specialized
network devices, or appliances, that monitor a network consume too
much bandwidth, Ahern said. Typically, the general devices used in
corporate networks can use between 6 percent and 10 percent of the
typical 10mbps Ethernet used in most factories and control
applications. For real-time control systems, that just won't do, he
said.

Verano's expertise with control systems and its base of 200-plus
industrial customers puts it in good stead, Spire Security analyst
Peter Lindstrom said.

"Their big value-proposition is that they know the industry," he said.  
"Their stuff looks just like the products and services available in
the enterprise security industry, but they are integrated
differently."

Verano's Ahern said that getting companies to adopt a Linux-based
system will take a few years, more because of the slow pace of the
industrial sector than because of any lack of faith in the open-source
operating system.

"My experience has shown that there is generally a three-year delay
between when a technology moves into an enterprise and when it gets
onto the plant floor," he said.

However, security may be the issue that will speed that adoption cycle
up.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.