Tuesday, August 4, 2015

Is your home computer safer than your local nuclear power plant?

There are times that I think that I may be better off putting my personal things into the cloud than maintaining them on my own hardware. After all, cloud professionals spend all day thinking about security, while it's not always in the front of my own mind.

Then there are times that I'm not so sure.

There are all sizes and types of computer systems that are out there. You can start with something as small (and powerful) as a smartphone, then move up to a laptop or desktop computer, then to a system that consists of several computers, and then move on up to the big iron - the stuff that runs critical functions such as nuclear power plants.

As you move up to the higher end of the spectrum, systems will use Industrial Ethernet Switches. I don't use an Industrial Ethernet Switch on my home computer. The term is meaningless for my smartphone. Yet these serve as the backbone of many an industrial system.

But what if there's a vulnerability in such a system?

Now if a home user has a vulnerability in his or her system, the home user will probably get a notification from Microsoft or Google or Apple or whoever to fix something. Or the home user may not have a choice; the OS provider may just patch that vulnerability without letting the user know until after the fact.

But the security issues at a large industrial site serve to preclude rapid fixes of problems. Patrick Howell O'Neill describes the timeline for an average fix:

Incredibly, it can take up to three years to fully fix any given problem. The process is slow and costly.

First, the researchers notified the federal government or another third party of the vulnerability and then the vendors themselves. Then, it took switch vendors like General Electric eight months and Siemens three months to issue patches that sometimes only fix a portion of the problem. While the patch then exists, research shows that industrial facilities don't actually implement the patches for up to 18 months afterwards.

Implementing a patch on critical hardware like the switch involves jumping through numerous hoops with management and then bringing the entire network down, which can cost thousands or millions of dollars every hour, according to the researchers. For that reason, many of these facilities are almost never patching more than once a year, and the timespan is often much longer.

O'Neill notes that researchers, in addition to figuring out how to patch a particular vulnerability, also have to spend time figuring out what to do for customers who are a couple of years away from implementing any such patch.

To be fair, companies that deal in customer data know that they can't wait years to fix patches, and are therefore more aggressive at it. But your local power plant may not be as aggressive.

And that's your comforting thought for the day.
blog comments powered by Disqus