Re: potential security issues with embedded systems?

[Jere Retzer <retzerj () OHSU EDU>]

H. Morrow Long wrote:

> Many of these systems are used for monitoring temperature, off/on
status and other sensor output -- but they can often also be used to
control the device under monitoring/management as well.

> While these devices used to be on proprietary networks in the past, or
even just on closed systems with RS232/422/etc, now they are often on
IP-based Ethernets (and many enterprises may possibly use their regular
enterprise network to connect these devices for ease of access....).

Correct, and while I don't wish to be alarmist engineers from the
realtime community typically don't have our perspective on the hazards
of modern networks. I read in an article recently on a publication on
realtime control systems that said it was not necessary for the OS to
support encryption because it would "typically be installed behind a
firewall." Those on this list are probably mostly well, and painfully
aware that firewalls, while necessary in many cases are becoming more
and more ineffective with the growth of laptops, wireless nets,
encrypted tunnels, the growing tendency to connect everything via port
80, etc ...

To stir things up a bit more, a few years ago I worked for a company
that integrated realtime control systems for electric power utilities --
it was the rage at the time to use TCP/IP over Ethernet and even
integrate on the corporate network.

If that is not enough, those of us in healthcare also deal with patient
monitoring and life support systems, although my experience is that the
clinical engineering community has, or at least had when I last worked
with them a healthy level of paranoia.

Jere Retzer, OHSU

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.