Reader Comment – 01-25-10 iPhone Security

Harold Ennulat posted a reply to my blog posting on the iPhone industrial control system application. Harold wrote:

“Good reminder about the security concerns. We'll have to wait and see how people actually use this kind of capability with devices like the iPhone. “It seems inevitable to me that they will be used and the security issues will be addressed satisfactorily.”

I agree with Harold that apps like this will almost inevitably be used. Anything that makes someone’s job easier is likely to be successful. More platforms will get this type of application development and the apps will cover more devices. Security managers that don’t understand this are living in a dream world. I am, however, too much of a cynic to agree with Harold’s assumption that “security issues will be addressed satisfactorily”. I have spent a great deal of my personal and professional life around a wide variety of engineers and very few of them that I have known have a great deal of respect for security rules. They will go along with the letter of the rules, but if the rule gets in the way of getting the job done they will figure out a work around. The more creative the engineer, the more likely they are to discover a unique work around. I can even understand the reasoning that would allow a reputable engineer to bypass this type restriction:

'The jihadists are religious fanatics so what could they know about control systems and sophisticated electronics? Besides they would have to know what specific equipment we are using here and know the specific communications protocols that we are using. Even if they could get control of our equipment they would have to understand our process to do any real damage.'

The first assumption is the worst, of course. The single most common background for known Al Qaeda operatives is engineering. So, it is likely that there is adequate understanding of control systems and electronics within these organizations. The other assumptions certainly contain a level of validity. The communications protocols and systems analysis would be difficult to detect and understand from outside. This is an area where insider knowledge, either from facility or vender staff, would provide the most likely avenue of approaching the problem. Having said that, we still must remember that hackers figure out similar communications protocols all too frequently.