Industry, automation and electronics
If you enter any industry that is automated, you'll see that who has programmed electronics or PLCs are for general industrial engineers, who know how to program but haven't had the necessity of making their systems secure. As a general rule an industry automation was a black box closed to the world of communications.
Devices that are the core of automation?
First start speaking of a PLC or a microcontroller (such as Arduino) that performs a task, usually simple, cyclic and critical. It electronic of a PLC or a Micro is much more simple that any computer or smartphone, basically this device takes some tickets and performs an output, are going to it more easy, a thermostat that if rises the temperature active a fan but if low you gives more force to the boiler. Mention that in many cases they need to be fast by security issues, you may not give us the typical blue screen of Windows or fall, these systems do not have operating system that are more robust than a normal PC.
Internal network of factory
Now that we know that there are electronic devices that perform cyclical and that are programmed directly on the hardware (without operating system), we will analyze all the production. Imagine a, e.g. bottling plant that performs the following tasks:
- Verifies that there are bottles in the beginning of the string where a robotic arm takes them and puts them on a tape in a straight line.
- The following machine clean the bottles, checks that enters a for you injected water with SOAP.
- We then rinsed them.
- It is a drying programme.
- We introduce the liquid inside.
- We apply the CAP
- We collect in boxes of 12 bottles.
Well as each one of those processes has at least one machine and each machine has of your electronics. The entire process is connected in a local network, does not have to be ethernet there are industrial own protocols. All the machines talk to each other, if one has been stopped for the rest of the process forward or back, etc etc. But all those machines are controlled by a computer or multiple computers that control the process in a program called SCADA. All of this without being connected to the Internet.
The next thing was to connect those computers to the Internet but that the SCADA operator could see mail or use the browser, but there was always a fear to connect throughout the factory. Here, there was never a security expert. The SCADA systems are programmed with software that are designed to be simple.
Problems here ciberserguridad
Yet here there has been major security problems first I'm going to highlight was an attack on WinCC Siemmens software for programming industrial SCADA, possibly the most famous of the market. They found several vulnerabilities in WinCC, now known as Stuxnet computer worm sneaks into the system and rescheduled the PLCs of the centrifuges so that they are multiplying. Possibly Stuxnet "is colo" via a USB.
Another problem I found professionally is to see maintenance technicians to install a "virtual desktop", software that allows you to view and interact with the computer in plant, i.e. own technician opens a door without that their supervisors know it, so if there is an emergency at the factory can solve it from home. Heads a terrible fear that the computer can be accessed from the outside and is someone from the inside without malice any installed software, is not better to create secure systems connected to the cloud already?
Finally the internal systems tend to be protocols not encrypted and few insurance. Indeed, in many applications don't need to worry about this, are small factories and where an attack is difficult. But it is true that here the Automation Engineers have not been very good friends of the computer.
The Internet of things.
It Internet of them things consists in connect all to the network of networks, your House, your car, the factory of before, the cities… including yourself. Imagine the industry that creates these products, however small or StartUps. Every time I see more electronic products that belong to the Internet of things, consumption meters, thermostats, light bulbs… many of these devices are created by electronic. A StartUps tend to be two people, the technical and the businessman (true that it is not always so). If the StartUp is electronics, our technician is the same as before, an engineer electronic or Automation, who knows programming knows that things work but does not think that you are going to hack your product, there are to get the minimum viable product as before, and this has to work but not be sure.
Why the big problem that has the Internet of things is that first you have to sell the consumer wants something that works do not question if it has passed a safety test, he is not a technician. As when you buy a car you ask testing of airbag or cushions das by fact that have been made and passed, in addition there is a legislation and is not the same with this electronics which if you have regulations as to whether passes electromagnetic radiation and links controls but they have no rules about how vulnerable that are.
Real-world example, light counters
Recently in Spain have replaced all former analogue counters by ones with lights and that they connect to the Internet and send information, thus electricity companies save costs by not having inspectors measuring counters. You can detect fraud in real-time