HAL Software CTO, Cormac Garvey, CISSP, deep dives into modern .NET software development, creating tamper proof, strong assemblies, and implementing ISA-S99-01/02/03.
Garvey outlines mobile software risks, MILS (Multiple Independent Levels of Security), and a misalignment between the IT world, internet software development, and industrial automation security. Along the way, he discusses the drawbacks of using PKI for real-time control communications encryption, the pros and cons of moving your SCADA infrastructure to a sand-boxed web browser style architecture, and open source vs. proprietary software. He makes recommendations for both future control system specification and additions to existing testing, and outlines the technical holes for which there is presently no solution.
The 9 Verizon threat areas as applied to industrial automation are reviewed, and the impact of Stuxnet through to Havex is discussed, together with what the Avionics Industry and embedded control systems are doing about it.
There are plenty of articles on cyber security but very few have anything new to add. Hopefully this paper is different and will help every factory IT & Automation manager to get up to speed, rapidly, on control system security in 2014.