For years experts have harped on the dangers inherent with purchasing automation and control products on the gray market. For those unfamiliar with the term, the gray market consists of sellers who are not part of the normal channel to market. I am not saying these people are crooks, villains or scoundrels — they just aren’t part of the authorized (and regulated) channel to market.
But add an emerging threat from malware in factory automation systems, and the gray market in automation and controls takes on a more sinister look.
Experts have been predicting for years that someday hackers might push their way into the world of automation and related products. For most folks this was a theoretical danger. It could happen, it might happen someday, but it’s not something we changed our behavior over.
I believe this danger just jumped two notches on my own danger meter. Here is why: Recently, global automation giant Siemens announced the detection of malware designed to detect Siemens Simatic WinCC and PCS7 programs and their data. The malware, which resembles a “Trojan” virus, is capable of sending process and production data via an Internet connection it tries to establish (according to Michael Krample, a Siemens media relations director). This is not the first time something like this has happened, but it is the most transparent in its news release.
This sort of thing has the potential to create havoc in manufacturing environments. The little bug could steal sensitive data, purposely destroy expensive production equipment and cause massive human suffering — chemical releases, fires, hazardous material spills and loss of life.
Who creates these heinous inventions? Your guess is as good as mine. In this particular case, a common use for the equipment involves “SCADA” applications commonly found in water treatment. National security experts have identified the safety of our drinking water supply as a point of concern. Organized and well funded terrorist groups are probably brainstorming on this topic as we sit here today.
The Combined Danger of Gray Market and Malware
The malware threat in software is just one side of the danger. Most of today’s automation technology hardware has resident firmware. These are complex little programs that tell the chips how to perform. And, it’s pretty easy to alter the program onboard resident firmware. When automation hardware falls outside the normal channel to market, you can never really know where it comes from and if it has been altered. That really nice guy on the other end of an eBay transaction might be honest as the day is long. Or, he might be a whacked-out sicko with a desire to be the biggest thing since Dr. Ted Kaczynski of Unabomber fame. You don’t really know. But load your system up with a sabotaged component and all hell could break loose.
What amazes me is the resiliency of the market for this type of stuff. A recent trip to eBay revealed tens of thousands of this type of product posted for sale (Allen-Bradley, Siemens, Telemecanique and Omron, all the major brands were represented). Just last week, I heard of yet another “hot shot” buyer from a municipal solid waste center who saved a bundle on the purchase of equipment for his new upgrade. When I started to outline the dangers, he routinely dismissed the situation with, “Its up and running — no problems so far.”
Now, a Special Message to you Bargain Shoppers
When you’re playing with dynamite, nobody cares — just as long as you’re hundreds of miles from the nearest other person. Blow yourself up and it’s only a minor deal; blow up others and it’s our job to stop you. And if you buy automation hardware outside the authorized channels, you definitely are playing with dynamite around others.
If you save a nickel and injure someone else — you should go to jail (and for a very long time). If you plant this stuff into somebody else’s factory and they lose production time, you should be forced to pay.
Why not join me in swearing off “gray market stuff”? You’ll feel better because of it. And, if you don’t — I volunteer to serve as an expert witness against you when you get caught. Trust me, you will get caught.
—Frank Hurtte
Hurtte is president of River Heights Consulting, Davenport, Iowa, a multi-talented distribution consultant with decades of experience in the automation and control market, including years with Rockwell Automation/Allen-Bradley and Van Meter Industrial. He can be reached at [email protected].