[Ics-security] Problems tracking controls HW and SW

Kelly Mahoney mahoney at jlab.org
Wed May 9 10:02:54 EDT 2012 

As I get alerts from ICS-CERT, I try to look through the PR system to 
see if anyone at JLab purchased the product(s) in question so I can 
ensure they are informed.    This turns out to be very difficult for 
several reasons -
1.) The controls world is notoriously incestuous in that many companies 
will rebrand an OEM product and sell it as their own.  I've seen some of 
the HIMA I/O line sold by no less than five manufacturers.
2.) Siemens' sales slogan is "If we don't sell it we will buy a company 
that does."  This is pretty true of the business.   When tracking down a 
particular EPICS ioc manufacturer, I found the company and/or product 
line had been bought and sold four times.
3.) OEM manufacturers will rebrand their own devices to appeal to a 
particular market - the example at JLab is the Koyo PLC line from Asia 
sold in the US as "Direct Logic."

Problems on the purchasing side:
4.) Many components and hardware are sold through distributors.  JLab 
purchasing will go to multiple distributors to get the best price.  A PR 
search will typically not turn up a particular manufacturer.  A search 
for a distributor may only give a partial list and may not include the 
product of interest.
5.) To make matters worse, Purchasing is required to use a given 
percentage of small/disadvantaged businesses.   Many times these 
businesses are set up to act as middlemen - they get the PO from JLab, 
then go to a large distributor, who then orders from the actual 
manufacturer.

Things we can do to help:

1.) When ordering controls HW/SW, include keywords such as Controls, 
PLC, SCADA, HMI, I/O ,... that makes searching easier.
2.) Try to include the manufacturer's name and/or product line in the 
descriptive text.

In the next few months, we would like to develop a database of controls 
hardware and software used at the Lab.   This will make the job of 
matching threats to specific JLab equipment much easier.    If you send 
me (FOR SECURITY REASONS *_DO NOT REPLY ALL_*) a list of controls 
hardware and software you are using I will start compiling the data.   
Info should include:
Manufacturer (e.g. Rockwell, GE, ABB, Motorola, Direct Logic, Siemens, 
National Instruments, Cisco, ...)
Vendor (Name of vendors on PRs or credit card purchases)
Description (PLC, PC-104, SCADA SW, PLC Programming SW, ...etc.)
Function (PSS, CMTF Controls, CHL Controls, Test Stand, HVAC, Fire, 
Building Controls, RF HPA controls,...etc.)
Location(s) - note if multiple units are used, then list the facility as 
the location (CEBAF, HALLA/B/C/D, FEL, CMTF,...)
Model/Part Number
Software Platform (Windows XP/7 32/64 bit, Linux, RTEMS, VxWorx, ...)
Software and/or Firmware Revision
Owner name and e-mail
JLab Property tag, if applicable

_*DO NOT INCLUDE NETWORK IDENTIFIABLE INFORMATION*_ such as IP or MAC 
address, Computer name, or network name.  This will be collected separately.


Kelly Mahoney

-- 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.jlab.org/pipermail/ics-security/attachments/20120509/17d73d20/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mahoney.vcf
Type: text/x-vcard
Size: 197 bytes
Desc: not available
Url : https://mailman.jlab.org/pipermail/ics-security/attachments/20120509/17d73d20/attachment.vcf

More information about the ICS-Security mailing list