Industrial security gets a Linux lock
Control-system specialist Verano unwraps a security-enhanced Linux-based package to help utility companies, manufacturers and others protect their key infrastructure from digital attacks.
The product, dubbed Industrial Defender, aims to close holes in the security surrounding control systems used by utility companies, manufacturers and other industries. Verano announced the first piece, a network monitoring appliance and service, on Tuesday.
Moreover, unlike Honeywell, Siemens and many other companies in the industrial application market, Verano doesn't build its products on top of a special version of Microsoft's Windows operating system, but on a security-enhanced Linux (SELinux) system. Originally created by the U.S. government's military security agency, the National Security Agency (NSA), SELinux adds advanced security technology to further lock down the Linux operating system.
"Most of today's (control) systems were installed in the '80s and '90s, and weren't designed with security in mind," said Brian Ahern, CEO of the Mansfield, Mass.-based control-system management and security company. Ahern cited penetration tests by Verano's partners that indicate the network security around industrial control systems can be breached in as many as 90 percent of cases.
The package is an early effort to target an often-overlooked part of corporate networks: the control systems that monitor and maintain factories, energy plants and other industrial infrastructure. Such networks--the two common types being Supervisory Control and Data Acquisition (SCADA) networks and Distributed Control Systems (DCSs)--have come under intense scrutiny after the Sept. 11 terrorist attacks, as they could be weak points in a strike against critical components of the U.S. infrastructure.
While "cyberterrorism" has been the rallying cry of policy makers seeking stricter laws to punish hackers, and of government agencies asking for more funds, the chances and effects of any such attack have been greatly overblown. Instead, Ahern said, Verano's new service and software aims to protect a company's operation from the deleterious effects of a simple cyberattack.
"Any industries that are operating in a real-time market can't cut the cord and isolate themselves," he said. "They have remote dial-in capabilities for their remote engineers and have to have a way to guard those entry points."
While enterprise network security services do exist, the specialized network devices, or appliances, that monitor a network consume too much bandwidth, Ahern said. Typically, the general devices used in corporate networks can use between 6 percent and 10 percent of the typical 10mbps Ethernet used in most factories and control applications. For real-time control systems, that just won't do, he said.
Verano's expertise with control systems and its base of 200-plus industrial customers puts it in good stead, Spire Security analyst Peter Lindstrom said.
"Their big value-proposition is that they know the industry," he said. "Their stuff looks just like the products and services available in the enterprise security industry, but they are integrated differently."
Verano's Ahern said that getting companies to adopt a Linux-based system will take a few years, more because of the slow pace of the industrial sector than because of any lack of faith in the open-source operating system.
"My experience has shown that there is generally a three-year delay between when a technology moves into an enterprise and when it gets onto the plant floor," he said.
However, security may be the issue that will speed that adoption cycle up.