Joe Weiss is 100% correct. Many companies talk about security, but their management team has no idea what is going on or what is required for information security processes to be successful for their product. I worked in the area of information security for many years before moving into higher education where I teach courses in this area. We still have a long way to go before companies understand that security should always be at the top of the list.
The current security paradigms are moving away from most of the defenses being at the gateway to the system, because it leads to targets that are described as "crunchy on the outside but soft on the inside". Based on that many would advise making these controllers more resistant to attack. Unfortunately, they are relatively unsophisticated devices. What needs to happen is the creation of an effective strategy to protect their programming. For example, you could set up a disconnected computer to program them (the "air gap" that was described in the article) and set up strict scanning protocols for both that machine and media used to transfer files to it.
This works as long as the controllers can be effective on disconnected systems. Unfortunately from a security point of view, they are most efficient when feeding their data to a network. This requires very strong network configuration and monitoring, but if it can be separated from the programming interface that might be effective.
A Book For All Reasons Bernard Cole1 Comment Robert Oshana's recent book "Software Engineering for Embedded Systems (Newnes/Elsevier)," written and edited with Mark Kraeling, is a 'book for all reasons.' At almost 1,200 pages, it ...