Cyber threats are ever increasing and along with it the government and private sectors are scrambling to create definitions of responsibility, regulations, and compliance. The impact to your controls business could be devastating if you are not prepared and do not understand the implications. Ignorance is no longer a defense.
In the good ole days of system integration, system integrators would do anything to help their customer. This included running private IP networks so the building engineer could see their system from his computer in his office. This required us to learn how to setup IPs and switches and crimp CAT 5 connectors.
Our customers then asked us to connect their system to the corporate network so others in the building could connect to the control system. This was easy… Put another NIC in the frontend PC and bridge the two networks. All we needed to know then was how to install a NIC in a PC and setup an additional IP. Or the other solution was to migrate the entire system over to the corporate network. All that was needed was for us to change the IPs so they would communicate on the corporate network and connect CAT 5 cables to the corporate network…
Then the building engineer wanted to be able to check their system from home at night and on the weekends so we, the system integrators, learned how to setup routers with public IPs. This put the control system outside the firewall so no matter where the building engineer was in the world he and billions of people could see his system. In fact system integrators would even advertise this fact as a feature. But that was okay because who really cared about a control system anyway… Right?
We also assumed other responsibilities. We administered their users and user rights. We provided the PCs or servers and patched them. We installed the antivirus flavor of the week to “protect” their control system. We would install consumer grade switches and routers from the big box stores and setup VPNs.
Is this a bad thing? Depends… [Read more…]