BYOD Security in Perspective

Following close on the heels of industry\’s broad acceptance of networked control systems came the BYOD (bring your own device) movement – wherein corporate issued or personally owned mobile devices such as smart phones and tablet computers were being used to access automation and control networks. Accepting and securing in-house plant floor systems was one thing; extending that concept to employees\‘ mobile devices was a bridge too far for many engineers and plant managers. Though the concept is still in its early days, the momentum around BYOD is much like that behind the push for networked systems a decade or more ago. The difference now is that, since industry has largely accepted the networked control system concept, acceptance of BYOD is likely to occur at a much more rapid pace. Like the initial concerns around networked control systems, the main concern with BYOD is how to secure all those devices. Eric Byres, chief technology officer and vice president of engineering for Tofino Security at Belden Inc., made note in his blog recently about comments presented on the BYOD security topic at the International NCSC One Conference 2014 at the World Forum in The Hague. He noted that \“while security traditionalists talk about ensuring confidentiality, availability, and integrity … the real goals can be divided into two more general ones: maintaining safety and maintaining control.\“ Considering the inevitable increase in mobile device use in industry, this more targeted approach seems to make sense. As Marc Leroux, marketing manager, CPM Technologies R&D at ABB says, plant managers today \“need to have instantaneous access to all pertinent plant information, whenever he wants, wherever he is. With the larger amounts of data now available, and the always connected environment we are accustomed to, that information has to be available on phones, tablets and desktops.\“ Given this reality, Byres questions if iPhone or Android smart phones are really the security risk the IT world claims. To put the issue in perspective, Byres asks: \“How many truly effective rootkits have you seen for attacking iPhones? Now consider how many rootkits there are for taking over PCs.\“ He also notes that IT groups rarely encounter the need to patch many serious mobile device vulnerabilities, yet they have to install critical Windows, Java, or Adobe patches on PCs every week. Byres goes so far as to point out that personal phones may actually be more secure than all the other devices welcomed by traditional IT. \“Smart phones are more carefully guarded by their owners,\“ he says. Backing up this assumption, Byres referenced studies that show, on average, people notice and report a missing phone in less than 20 minutes compared to 24 hours for a missing wallet. \“If someone stole my laptop on a weekend, it could be two days before I noticed,\“ Byres says. \“And once an iPhone goes missing, the remote wipe features are very effective. I doubt my IT department could ever wipe the laptop they gave me if I happen to lose it.\“ The mobile future of manufacturing is already here. How industry adapts to that reality will determine how quickly and how widespread the benefits will be for the early adopters.