Trying to turn the tide of Windows is as hopeless as commanding the sea to halt – letter to the editor

Mike Lees shares his view on system connections

Last month Mitsubishi Electric argued that, in light of Stuxnet, PLC based connections between the plant/asset and the enterprise represent a more secure option than PC connections (Industrial Technology, August, Why Stuxnet has changed the security landscape). However, because Stuxnet was the first virus to have a PLC rootkit, I think it proves quite the opposite. It demonstrates that, without protection, no system is safe, whether its PC or PLC based.

Legend says that King Cnut sat at the shore of the sea and commanded the tide to halt and not wet his feet and robes. The sea continued unabated of course. Attempting to stem the tide of Windows based industrial computing is equally futile. As engineers, we chose Windows two decades ago. It’s much too late to change our minds now.

The real task, as Mitsubishi astutely observes, is to protect those systems that already exist. As a provider of industrial IT solutions we are now implementing security devices specifically designed for industrial applications, effective in securing protocols such as Modbus TCP and OPC Classic.  These devices can be installed without plant downtime, are easy to configure by control engineers and meet or exceed standards such as NERC CIP, ANSI.ISA-99 and IEC 62443. And there’s no need to replace your legacy PCs with specialist PLCs.

Ultimately though, Mitsubishi is correct in arguing that the UK and Europe’s industrial computing infrastructure is horrifically exposed to attack. This is particularly true of those elements of it that are running on legacy IT and control systems. The lifespan of the existing installed base of industrial computing and automation solutions means that we will be dealing with this risk for years to come, providing we choose to do more than just stand on the shore at shout at the sea.