Cyber Security - Not all products are equal

For over 8 years I have been testing and reviewing tests of BMS, Lighting, Energy Meters, Headends Leak detection etc. To this date over 300 individual products have been tested for cyber security.

Generally the failures are caused by not supporting encryption eg only having an HTTP login page, bad configuration such as default passwords and worse of all a lack of updates by the manufacturer indicating they don’t understand the issues.

A typical vulnerability report, here you can see FTP is detected and a has number of encryption issues.

If you care about your clients reputation the cyber testing should be done before any products are put onto a network or better still as part of the selection process. In addition to this the network itself should be tested.

Engineers laptops should be check for malware and viruses before being used on site as an additional security measure, I have seen first hand a laptop have multiple malware and viruses and the engineer would have carried on plugging into the network if we have not stopped them, we then scanned all the USB sticks he was carrying and found them all to be infected.

There is a general issue in that the controls industry never previously had to deal with cyber security as it was generally a serial based setup, now this has migrated in a large part to IP the issues are front and centre of projects.

I personally would like to see manufacturers update firmware more frequently based on penetration testing they themselves carry out and in addition accept reports from third parties openly and work with us to get them resolved.