Meltdown and Spectre.
They sound like a Bond villain and one of the X-Men. Instead, they’re the latest cybersecurity vulnerabilities that have emerged to keep your IT teams awake at night, and possibly you, too.
Rarely has a breaking news item felt more timely to the Plant Services editors. Less than a week after putting our first cover story on cybersecurity to bed, two new and serious security vulnerabilities came to light.
And they’re not just any kind of vulnerability – the bad news is that both of these are baked into the processors themselves, across billions of devices. As an Apple blog post stated, “these issues apply to all modern processors and affect nearly all computing devices and operating systems,” from cloud services and computers to phones and browsers.
The first good news is that there has already been a concerted effort on the part of processor companies, operating system companies, and cloud providers to address these vulnerabilities. An excellent summary of the initial responses can be found in a recent Ars Technica article; another article, from Gizmodo, provides an ongoing list of patch releases and operating system updates so you can check to see if your devices are still vulnerable from these new threats.
Part of what feels so surprising about Meltdown and Spectre is that the risks they represent are not due to the actions of bad actors from the outside who intentionally try to hack into your plant network; they also are not due to any errors in human judgment that might introduce security risks (i.e., not changing passwords frequently enough, or plugging an unsecured smartphone or USB stick into a device connected to your control network). These flaws are on the inside of the devices themselves, a vector that is less commonly discussed when it comes to cybersecurity best practices.
Plant Services went to press before news broke about Meltdown and Spectre, so you won’t find mention of either in this month’s cover story. However, you will find coverage of our industry’s response to other cyber-threats, including information from a presentation by Alan Berman, president and CEO of the not-for-profit Disaster Recovery International Foundation (DRIF), in October at the 2017 SMRP Conference, and practical advice on everyday cybersecurity tactics that you can implement with your teams, especially when considering use of cloud technologies for PdM or similarly data-intensive initiatives.
And the second good news? Our industry is familiar and already deeply engaged with cybersecurity issues, to the point that members of the Homeland Security department are approaching SMRP to provide counsel in these areas, as Howard Penrose outlined last May in Plant Services.
New vulnerabilities may be inevitable, but our industry is already having the right conversations.