As if there aren’t enough holes in control systems communications already it appears that the move to use mobile devices to access those systems may make industrial control systems much more vulnerable. An article over at USAToday.com points out recent research that describe major holes in the security of operating systems of these mobile devices.
The article notes, for example, that one security firm “showed how it's possible to eavesdrop on any smartphone or tablet PC as it is being used to make a purchase, conduct online banking or access a company's virtual private network [emphasis added]”. Since companies are being told by ICS-CERT and others that remote access to control systems should be done via a VPN, companies following current guidance while allowing the use of mobile devices may actually be opening up their ICS network to attack.
Another well-known security research organization is reportedly able to “steal secret keys and passwords, and pilfer sensitive data, including call histories, e-mail and text messages” from iPhones and iPads. All of this makes using these devices for access to control systems more than a little problematic.
It will be interesting to see if ICS-CERT does anything to publicize this problem.