NDU prof: Digital control systems can weaken security
- By William Jackson
- Jul 23, 2003
The growing integration of digital control systems with traditional computer networks is opening a new avenue of attack against the nation's physical infrastructure, John H. Saunders, a professor at the National Defense University, said today.
Controls for operating utilities, buildings and campuses are being turned over to cost-effective digital systems with remote access capabilities.
'The security part of the equation never arises,' Saunders said at the GOVSEC security conference in Washington. 'I think we've been lucky until now, but I wouldn't count on that continuing. It won't be long before anyone in the world is able to access these systems.'
Proprietary protocols and single-purpose firmware have offered a degree of security for these systems. But standardizing on a few protocols is increasing the risk.
'IP is overrunning this whole area,' Saunders said. 'It has been adopted at all levels.'
Digital control systems also are being connected to LANs, WANs and the Internet for remote administration. 'For the most part, security has not been a focus for vendors,' he said. 'They tend to push functionality and access levels."
Government administrators can do little about the level of security at utilities, but they can increase security within their own buildings, Saunders said.
Building engineers need to focus on security the way systems administrators do, by performing systems inventories and vulnerability and risk assessments, and by implementing policy, he said.
Saunders said the first security standards for digital control systems are expected to be released soon by ISA, a standards organization based in Research Triangle Park, N.C. The National Institute of Standards and Technology also is expected to release security guidelines soon.
William Jackson is a Maryland-based freelance writer.