Industrial control systems are sensitive systems that must make decisions in real time to ensure the operation of the industrial process they govern. The latency and reliability in packet transmission is fundamental, since the protocols are connection-oriented but because of the main speed goal, many of them do not have included error recovery schemes other than those included in the TCP / IP stack.
Where is it possible to use encryption without affecting the operation of the industrial control process? Here are some examples:
- Power Transmission systems: The most critical communications that electrical systems have are the protections that activate the switches that handle the events of overloads in the transmission lines. Orders that are delivered to these devices can not exceed 12 ms roundtrip. Protocols such as IEEE C37.94 unfortunately still do not support encryption functionalities by default and because latency in a communications channel can easily exceed 12 ms by numerous factors that are normally seasonal and do not involve malfunctions of the platform Of communications, the use of encryption is not recommended because of the risks involved for the operation of the system. For all other communications using protocols like IEC 60870-5-104, IEC 61850 and DNP3, the crypto extensions detailed in IEC 62351 are recommended. For all other protocols that does not include a security standard like modbus, hardware crypto boxes or VPN devices works great.
- Water and gas systems: The most critical communications for the system are in the water catchment, pipes, tanks and potabilization plants. The orders sent to the RTU are not completed immediately and might take event minutes to finalize. Protocols like DNP3, BSAP and Modbus are able to handle some milliseconds (even 50) without any impact to the industrial process. In these systems, hardware crypto or VPN devices can be used
Manuel Humberto Santander Pel margin-right:0cm">SANS Internet Storm Center Handler
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Enlarge / Samsung's Smart TV interface, which seems to be running on Tizen. (credit: Samsung)
Tizen, the open source operating system that Samsung uses on a range of Internet-of-Things devices and positions as a sometime competitor to Android, is chock full of egregious security flaws, according to Israeli researcher Amihai Neiderman.
Samsung has been developing the operating system for many years. The project started as an Intel and Nokia project, and Samsung merged its Bada operating system into the code in 2013. Like Android, it's built on a Linux kernel, with a large chunk of open source software running on top. App development on Tizen uses C++ and HTML5.
Presenting at Kaspersky Lab's Security Analyst Summit and speaking to Motherboard, Neiderman had little positive to say about the state of Tizen's code. "It may be the worst code I've ever seen," Neiderman said. "Everything you can do wrong there, they do it."
Read 5 remaining paragraphs | Comments
