03 November, 2006

5 Myths - part 2 of 6

Myth # 1
Process Control systems are different from normal IT systems.
Process Control systems are the same as normal IT systems.
(two sides of the same misunderstanding)

On a technological level most of the systems that are used for DCS use the same (or closely related) protocols, infrastructural software (OS's, DNS, IP etc.) and hardware of standard IT systems. Just like any other IT system they need patching, software release/change management, AV, and system administration. They are vulnerable to the same exploits, worms and attacks that any other IT system is vulnerable to.

They are different because there are very few other applications that actually result in safety, environmental and physical production risks directly. In some cases even a very small interruption or alteration in operation can cause production interruption or even safety issues. IT needs to understand that these are not just web servers or email systems. Proper change management and communication with the specific users of the system is essential before doing anything.

Likewise the operators and engineers that use these systems need to realize that the systems are just as vulnerable (often more vulnerable) to worms and hacks therefore they need to be patched, AV protected and even scanned (when done properly) just like any other system. Indeed they need to be.

If there is any differentiating trend it is that in general these systems lag IT by 5 to 10 years. VAX and NT 4 sometimes even 95 and DOS are still around. There is also a fair amount of proprietary systems but often they are built on top of an older UNIX variant and have similar flaws. This is due to a number of reasons. Most of these systems cost substantially more per instance than a similar IT system. It takes more time and effort to incorporate them into designs because there are design considerations and testing that IT would never have to worry about. There is also a bias (especially in the nuclear arena) to only want to use well proven tech. Obviously this isn't universally true. Some designs are quite advanced and obviously newer facilities are more likely to have more up to date systems. I do feel it is a fair generalization and if someone wants to challenge me on it feel free in the comments or via email. One side effect of this lag is that many of the headaches that IT dealt with in the dot com boom are now being felt in the DCS/SCADA world. (many of the benefits as well). This is particularly true in the case of security.

No comments: