Industrial control systems (ICS) like SCADA (Supervisory Control and Data Acquisition), PLC (Programmable Logic Controller) are the backbone of the industry automation. These systems are usually used for operating factory equipment, even nuclear reactors.
Industrial systems have been designed for years to be used by a single person or a small group of people who know each other. This means that every person knows the password of other people in the system and there is no need to save them to access industrial machines or control panels.
These systems are designed to be operated remotely or by trained personnel, and their design does not account for user authentication. Hence, the passwords are removed to ease operation.
Safety is a major concern in the workplace. Companies are keen to ensure that their employees are safe, but they also want to save money. This creates a dilemma when it comes to industrial safety, in one hand security needs to be reliable and quick, but in the other hand, it needs to be safe enough for the risks that an incident can cause.
The recent cyber-attacks have shown that the security practices are not that secure anymore. Even worse, some of these industrial systems have default and weak passwords that can be found with a google search. The reason for this is because there is no strong regulation on how these passwords should be stored and in commissioning phase, everyone tries to make the work much easy and quick, but security controls are not imposed on the ready system as no one want to touch a working system.
One of the most important areas for improving security is by adding security processes to the workflow. These should be added at every possible opportunity where it makes sense, as this can lead to greater improvements in safety, whilst simultaneously reducing risk.
For more information and insights, contact me: RotemBa@bdo.co.il