The October issue of Intech has a security article on SP99 that is quite good. However, one of the four myths listed early in the article greatly overstates the case.

The second myth: “In the IT world, the primary focus is to protect the central server and not the edge client. In process control, the edge device is far more important than a central host.” I can’t disagree more strongly. If an adversary gains control of a central host that is the brains of a SCADA or DCS system, the adversary can control EVERY edge device. Digital Bond has gone into a variety of threat and risk scenarios with process control clients, and they all quickly see what a cyber attacker could do if he owns the server.

This risk to the ‘central host’ is even greater since most of the existing, legacy systems have not been designed with security in mind or tested by a security peer group. If virtually every enterprise software vendor has suffered from common flaws such as buffer overlows, how can we assume a process control application would not have a similar problem?

I can agree with a modified version of the myth . . . the edge device is typically more important in a process control system that a corporate enterprise.