Slashdot Mirror
Industrial Control Software Easily Hackable
jfruh writes "CoDeSys, a piece of software running on industrial control systems from hundreds of vendors, has been revealed to be easily hackable by security researchers, giving rise to a scenario where computer hacking could cross the line into the physical world. Worse, many of these systems are unneccessarily connected to the Internet, which is a terrible, terrible idea."
Kaspersky says they'll come up with a new OS specifically designed to protect industrial control systems from hacking and sabotage.
http://www.pcmag.com/article2/0,2817,2411052,00.asp
Now you're just being paranoid. Instead, you should develop an artificially intelligent system to defeat would-be attackers and malicious software. That sounds like the best idea.
- Skynet
It's not necessary.
Mostly random stuff.
...that they'll come up with something, the REAL solution has NOTHING to do with what they're talking to.
The OS isn't just the problem. It's the SCADA applications themselves as well. Something I've pointed out on several occasions to industry and even to people at NIST on the subject- in fact, quite a few researcher's have pointed this out over the last decade now. (And, all of a sudden, it's a "problem" now...sigh...)
Kaspersky's solution WON'T fix things like they're claiming- it's just more snake oil in a field FILLED with it.
They're more worried about having to change out things and the expenses of these deeply flawed designs they've cobbled together to manage the system components of things. The solution is to START OVER with honest security in mind instead of all of the half-assed solutions including authenticated DNP3 and the like.
Make the first episode of BSG Season 1 required viewing for "intro to computers" class.
This is a mouse, this is a keyboard, this is why you don't jack your global defense grid into a wifi hotspot.
At what point will software engineering be professionalized like the other branches of engineering?
Surely there are well established guidelines for securing software at this point.
1) Create a professional society for software engineers (the SPSE, let's say) with the power to grant and revoke certificates. Assemble a blue-ribbon committee and give them 6 months to come up with membership requirements
2) Have the SPSE adopt existing standards regarding security, stability, and whatever other categories are needed
3) Amend the existing construction/operating permitting mechanisms by adding a requirement to use certified software engineers
Voila, now whenever you build a factory, hospital, or other civil engineering structure that is already heavily regulated, you will be required to use certified gear, and that certified gear must now be built to a minimum industry standard.
Other industries can then piggy-back on your new standards: the codes for banks can be rewritten, and miscellaneous unregulated industries and companies can write the requirement into their contracts.
...you have physical access and hand tools. The ease of access in-place isn't a problem.
Controlling access itself is the problem.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
What we have here is a TCP port that let you have an unauthenticated shell access. In other words, this an easy to find backdoor. It is so easily exploitable that I am not sure it even deserve the term "hack".
may need unions as well so the coders can stand up to the PHB's and say that...
That time table is to tight
We need more staff and the 80 hour weeks are just makeing us make more errors.
We can't cut QA
You can't hire people who can't pass the certified test but have BA/BS while passing over people who have passed the test but don't have a BA/BS.
No I will not add this new stuff to the code this late in the roll out hell we still have some big bugs in the code base to work out.
No will not use that POS best buy special as the system that will run the PLS hell it's PSU is a very poor one per this review of it.
tell that to the PHB who said we can save by remoteing control to some offsite place.
With the emergence of 3D Printers, rapid prototyping and the domestication/democratization of manufacturing, I don't think it's going to do so much harm. Manufacturing is undergoing a revolution. Many parts (and even burritos... Google that up to see what I mean) will be "printed out" at home. People won't give toys and dishes for Christmas, they'll gift the blueprints and some resins instead. Heavy Duty Industrial will remain somewhat the same, but not manufacturing as we think of it now.
Eyes Open Self-Hypnosis for Victory: Summon the Warrior
"Did professional engineers prevent the Challenger Disaster?"
.. ref
No, nor did they cause it, what did cause the disaster was political interference, such as the decision to manufacture the solid booster rockets in another state, necessitating them being made from segments bonded together with O-rings
AccountKiller
I was doing some electrical work at an oil refinery up north in Canada about 5 years ago. I wasn't specifically attached to their control systems or PLCs, though since the electrical was intertwined with a bunch of the automation I naturally knew all the guys who were taking care of that portion of the project since we were required to collaborate together.
On one particular day, I entered the facility as usual and was heading to an unfinished section to check out some conduit. On my way there I noticed a CAT5 cable stretched across a walkway, disappearing into a stairwell. This was so incredibly absurd and suspicious that I just had to see what the hell was going on, even though something in my head told me I didn't want to know. I traced the cable back to the management office where it was plugged into one of the network switches. Okay, weird- follow it back in the opposite direction, all away across the plant- after about 80 meters there was a hub/repeater dangling over a walkway rail plugged into the wall and another CAT5 cable stretching off into the oblivion. Following the second extension cable led me to a set of PLCs and a group of the control guys throwing vulgar insults at an Allen Bradley PLC unit.
Turns out the PLC was a "new" model. Instead of handling the licensing through a floppy disk (!) like all the old units did, this one used some sort of a proprietary activation scheme that had to run over the friggin' internet before the PLC would actually do anything. The CAT5 cable I'd traced about 180 meters across the plant going back into the office internet connection was setup to allow this process to complete, since they had apparently failed to do it earlier when the system was OOTB but not yet hooked up.
They eventually got it all working, but it took them about 5 hours of fiddling to get the damned thing working properly.
Shit like that is the reason why things are hooked up to the internet, sometimes improperly. I know there's certain requirements for remote monitoring and such, and that should all be done over an isolated, encrypted VPN- but then you've got licensing bullshit like this that expects to phone home to a random server on the internet with little or no fire walling in-between. There's no reason for it otherwise- apart from the PLC guys wanting to make sure you're licensed and all paid up, god forbid anyone should buy a second hand PLC and reprogram it to do something useful again.
-AC
I've said it before, and I'll say it again: What possible reason could industry have to put controls networks on the internet? I can understand putting some type of reporting on the internet, so the bigwigs can keep track of up to the minute production. *disclaimer: I am an industrial electrician. I work on industrial controls in a sawmill. The day a production foreman asks us to give him control of machinery over the internet is the day I find a new industry.
the PHB's over redid there issues.
That seams like a good way and they can be hard to copy as well.
Sadly no one will listen until something bad happens.
If you told someone pre-2009 about the need for financial regulations and the upcoming collapse people would call you a communist and a liberal! Peter Schiff did jsut that and was laughed at before he earned fame when the Great Financial Collapse hit.
Same is true with nuclear powerplants after fukashima, airport security after 9-11, and same after the space shuttle Challenger exploded, IE 6 security after code red. Money talks and shit walks. Only when deemed necessary does something change.
Right now sadly we might be without power or worse another nuclear powerplant meltdown here in the US caused by Iran before anything gets done. Not unions or professional software orgnaizations or even licensing.
People hate change and especially MBA PHBs who never have heard of a single internet security attack on a PLC piece of equipment. If you can't do it MR. Slashdotter reading this then someone else will since it is never a problem.... therefore it is perfectly secure etc.
I mean they hated upgrading browsers too until IE 6 was shown a risk and they still love XP despite it. Why? Money. Until it becomes a liability and laws come into effect and PHBs shit their pants the problem will nto be solved
http://saveie6.com/
Actually works better if you read it as 'clown' services.
Faster! Faster! Faster would be better!
Well then, the Gods Must Be Crazy.
(Actually is happened to me earlier this week. I think it's Obama's fault.)
Faster! Faster! Faster would be better!
The CAT5 cable I'd traced about 180 meters across the plant going back into the office internet connection was setup to allow this process to complete, since they had apparently failed to do it earlier when the system was OOTB but not yet hooked up.
Assuming it was all Rockwell/Allen+Bradley gear then it was undoubtedly the FactoryTalk Activation system they were struggling with, and they were undoubtedly unqualified to be doing the work they were assigned to do (disclosure: I am a former Rockwell Automation employee so I have familiarity with the subject, but apart from that I do not speak on behalf of any employer past or present here).
First and foremost, Allen+Bradley(AB) PLCs don't need activations, so the licensing really isn't relevant to this story. AB makes a crap-pile of profit on that hardware the moment they've sold you the box--activation makes no sense. What DOES need to be activated (and is what creates profit for the Rockwell Software division) is the RSLogix programming software, without which the PLC is as useful as a doorstop. So unless they were completely clueless they'd have just taken their laptop into the office and activated their software then come back, rather than break all sorts of IT, security and safety rules stringing out 180m of CAT5 and a spare switch to get internet. The same goes for their drives--the drive units don't need activating but DriveTools software on the programming laptop may have.
That said, there may have been an industrial PC like a VersaView or third-party unit running the Rockwell HMI software and was bolted into the cabinet with un-activated software for some reason, but Rockwell/AB have thought of that...
The legacy licensing system used utility software called "EVMove" and relied on "master disks" (towards the end you could set up a USB flash drive) and in the field this was a royal pain in the ass--floppies and their drives are far too sensitive for such an environment, and USB memory sticks are terrible to manage and secure. Thus the development of the FactoryTalk Activation internet service-based scheme. Though it requires the internet the end system does not need to be connected to activate. The easy "wizard" way sends a "host ID" (the ethernet MAC address or some such number) from the end device to Rockwell via the internet. However, you can actually write down the mac address, or generate the hostID file on the target machine, then go to an internet-connected computer and type the hostID into a secure web form or upload the hostID file. The website then generates a license file that you can save to removable media or a laptop/portable machine to take over to the target machine physically, thus preserving the air gap (and making the method more similar to the old EVMove floppy method).
I do agree that licensing/DRM/activation is a big problem that costs end users millions of dollars globally (above and beyond the actual purchase cost of the products). It adds complication and downtime and confusion and contributes exactly zero value to its users. One might argue about its value to the vendor as well--FactoryTalk activation and many other similar schemes are just as trivial to circumvent as CoDeSys' ladder logic runtime for hackers, and adds the burden of extra support costs from the honest users it keeps honest. But the problem in industrial automation is bigger than that. The problem is that the world in general moves faster than industrial control systems can keep up, and the people who have "experience" honed their skills in the mid 1990s or earlier and haven't kept up. In the meantime, PHBs of the world in management and government demand of them far more than they are capable of delivering.
It used to be that refineries/factories/etc were content with paper chart recorders where operators and plant managers could peruse them if something came up to troubleshoot. Then came data recorders where you could plug in a serial cable or transfer via floppy to a computer for more deta
Preaching that automation systems be kept off the internet is like preaching abstinance until marriage to teens. It sounds like the lgical solution to all the problems but it is unreasonalbe to ever expect it to happen, so the best course of action is to educate on how to do it safely and responsibly.
Ther are many valid reasons that automation systems are connected to the internet in some fashion (though they never need direct internet access). Some of those reasons relate to not braking the law.
In industries like oil and gas, regulators require data to be collected 24/7/365 on all critical aspects of an operation. If an environmental or safety incedent were to happen and such data was not available for scruitiny it could lead to the permanent closure of that operation in extreme cases. Lack of due diligence in such matters can mean huge monetary fines and even jail time for wilful violations.
As such, in those operations a "process historian" server is standard equipment. These are central data logging servers that have essentally full read-only access to the industrila control system, and even some limited write access too (say, to assert a bit in a PLC to confirm it has received data, or to reset a totaliser or set a new batch number). Becasue of how vital the data is, there has to be some way to get the data off-site for archival and reporting purposes, and because of the volume of data and the immediacy that is demanded removable media is not an option. Thus these systems end up with some means of corporate network access. This does NOT mean the need "direct internet" access, but very commonly it means tunnelling through public/internet infrastructure via VPN (the "condom" if you will). Though technological measures can be taken to make this route into the plant impeneratable, it is complex enough to set up that people make mistakes and thus you end up with "holes in the condom".
The other use for outside conenctivity relates to support from off-site engineers, vendors and operators. A control system can be set up to report critical alarm conditions to smartphones, email inboxes and the like automatically with much more rapidness than a human operator at the board can do. The more rapid response to a critical incident the less likelihood for loss of revenue, damage to equipment, and injury or death of workers (again, in the case of "sour sites"--thouse that deal with natural gas containing deadly H2S, rapid response is vital to evacuate the facility and surrounding area and some of these are required by law).
So "preaching abstinence" in the complete absence of "sex education" is a bad idea. It is ineffective to say "disconenct from the internet" and not say how you can manage network security safely and responsibly, because at some point these people will be pressured into doing it and need to be able to "say no" if they aren't ready, and to know when and why it is "the right time", becasue if you DO use that internet connection responsibly it can actually be a great experience ;-)
Necessity is the mother of invention. That, or an article in the business newspaper your boss reads.
My solution to that problem was simply to subscribe to the same magazines my boss reads, peruse them for articles supporting my case and getting him to read it. Not only will he listen to them more than to you, he'll also think that you read "relevant" magazines and start listening to you, at least from time to time.
I know it's silly. hey, it's management!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
We've been saying this for years, but then again - our company makes data diodes.
Religion is what happens when nature strikes and groupthink goes wrong.
isn't this why we have think tanks though? people who think up the worst possible scenario? then they find a way to fix it? you could even make it like a Reddit for professionals, who can post ideas and up vote them? en-mass idea generator... ?
NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER GIVE UP! "No limitations, no boundaries, there is no reason for them."
"Passwords will be forgotten". I don't recall saying that. Perhaps let me spell it out for you AC. The password may never have been given in the first place. A common despicable tactic by some less scrupulous vendors and SIs.
As for "Linux will fix it", we know about that, and sometimes use it. However, there are other very good reasons for having your control network physically separate apart from security. Network load and response times spring to mind. But then Slashdot's default "throw linux at it and your problems will magically go away" response is hardly surprising.
I have determined that my sig is indeterminate.
No security expert will code their own software as long as OpenSSL, IPSEC, GPG and so on will do the job. Too expensive and too many mistakes to be make by bespoke software.
I suggest you hire one of these bearded Unix admins with some real crypto and networking experience and he is going to sort out the security issues in short order. Just listen to his advice and don't fuck his advice up with some el-stupido low-level requirement such as "PLC must talk directly to enterprise datat warehouse SQL server". Set up a clean, simple concept with defined interfaces and application-level firewalls which control the data flow in/out of the PLC secure VPN (delivered by BSD or Linux) and ensures sanity of any data inflowing. Don't bother too much about data flowing out, that is only a concern regarding industrial secrets and we all know the average corporate intranet is Insecure As Hell.
2012:
Medicaid hack update: 500,000 records and 280,000 SSNs stolen:
http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444
So, what's dts.utah.gov running everyone?
LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov
What's health.utah.gov running too??
YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov
* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!
===
2011:
KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)
http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised
---
Linux.com pwned in fresh round of cyber break-ins:
http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/
---
Mysql.com Hacked, Made To Serve Malware:
http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware
What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com
---
London Stock Exchange serving malware:
http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware
(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)
---
DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS:
http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers
---
Linux Foundation, Linux.com Sites Down To Fix Security Breach:
http://linux.slashdot.org/story/11/09/11/1325212/linux-foundation-linuxcom-sites-down-to-fix-security-breach
---
Linux's showing in CA's breached recently too? Ok: (very, Very, VERY BAD for ecommerce, online shopping, banking, etc./et al)
http://uptime.netcraft.com/up/graph?site=StartCom.com
http://uptime.netcraft.com/up/graph?site=GlobalSign.com
http://uptime.netcraft.com/up/graph?site=Comodo.com
http://uptime.netcraft.com/up/graph?site=DigiCert.com
http://uptime.netcraft.com/up/graph?site=www.gemnet.nl
The list of CA Servers BREACHED that RUN LINUX (StartCom, GlobalSign, DigiCert, Comodo, GemNet)... per these articles verifying that:
http://itproafrica.com/technology/security/cas-hacked/
&
http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811
---
The Stratfor SECURITY hack: (can't blame it on poor setup, this IS a security firm that uses Linux)
http://yro.slashdot.org/story/11/12/28/1743201/data-exposed-in-stratfor-compromise-analyzed
What's that domain run? Yes kids - you guessed it: LINUX -> http://uptime.netcraft.com/up/graph?site=www.stratfor.com
---
Phishers/Spammers FAVOR attacking LAMP: (Linux, Apache, mySQL, PHP)
http://www.theregister.co.uk/2011/06/10/domains_lamped/
PERTINENT QUOTE/EXCERPT:
"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers"
---
Toss ANDROID (yes, a Linux since it uses a Linux kernel) in also, since it's being "shredded" on the mobile phone security-front rampantly for years now?
* You get the picture...
APK
P.S.=> Linux Security Blunders DOMINATE in 2011-2012, despite all /. "FUD" for years saying "Linux = SECURE" (what "b.s."/FUD that's turning out to be, especially on ANDROID where it can't hide by "security-by-obscurity" anymore & is in the hands of non-tech users galore - & EXPLOITS ARE EXPLODING ON ANDROID, nearly daily)
... apk
Ethernet is actually good enough for a number of things if and only if the network is unloaded. Reading values from a Modbus based protection relay for example. The values are not critical and even if the network fails the protection relay will still trip, but they are useful values to have and mean someone doesn't have to keep walking into the substation to look at them. I can think of a number of other such use cases where ethernet/ip is more than good enough. For remote IO, I would use something better, like DeviceNET(RS485, basically). But Even then, some remote ethernet IO is also good enough. It depends entirely on your use case. One size does not fit all. I am quite aware of the limitations of ethernet IP, and a lot of systems use the same physical layer as ethernet, but make special hubs (remember those?) mandatory instead of switches. I believe ethercat is one such system if you must know. In general ethernet IP is more than sufficient for any SCADA system (with a few exceptions). Time critical stuff should always be done in the (far more reliable) PLC not the (inherently suspect) SCADA system. But that is standard practice. Mostly. I have seen some horrible systems....
My skillset includes setting up linux security as well as programming PLCs and setting up windows security. I run various OS systems in industrial environments. But it is obvious you have never really worked with these systems? Your ideals are nice, but the real world called and wants to know if you'd like to meet for coffee sometime.
When people buy a machine they buy a machine. They don't think about the password because they bought a machine and they need no password to operate it. The salesman comes in and gives his spiel, and then they buy it. The SI or manufacturer password protects the PLC to protect his "IP" and that is that. It is annoying, yes, but I am more inclined to blame the SI/manufacturer than the customer. The customer's skillset does not include programming the PLC and if the system is made right, it should not have to. That is the point of the entire system - so that the customer does not have to worry about it. That is what sells. That is how it is, and how it works, and it is unlikely to change.
I have determined that my sig is indeterminate.
...concern anyone?
"We software Automation." is prominently put up on their website...a German company's TYPICALLY better at English than that.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Let's examine your "list of 'noobz'" then, shall we? Ok, here we go:
---
1.) Noobz - like kernel.org, maintainers of the LINUX kernel iirc?
2.) Noobz - like STRATFOR (a security company no less, lol) ???
3.) Noobz - like London Stock Exchange????
4.) Noobz - like NUMEROUS BREACHED CA's?????
5.) Noobz - like mysql.com??????
6.) Noobz - like linux.com??
---
* Yea, lol, riiiighhtt... some "noobz" in that list above, eh?
APK
P.S.=> Fools was more like it, believing the "hype" that "Linux = invulnerable" which WE ALL HEARD HERE ON /. FOR TOO MANY YEARS now...
Funny how THAT is especially "falling apart" considering ANDROID (yes, a Linux variant itself) most of all, eh? No more hiding behind "security-by-obscurity" Penguins... your OS is OUT THERE, being torn apart, along with years of /. "FUD" too!
... apk
I have no doubt the average programmer can hack up something we can call an "encrypted TCP session". But it probably is
- not safe against replay attacks
- reusing session keys
- not integrity-protected (switching a bit in the cipherstream will switch one or more bits in the cleartext without your app knowing)
- not safe against low-level attacks against the crypto/session establishment parameter parser
- not properly vouching for the identity of both communication partners
There has a lot of work gone into getting this correctly done in SSL and its successor TLS. Even they made a couple of mistakes which had to be fixed. Chances are 99 to 1 you cannot easily get the same security level as you can get by simply coding against OpenSSL or GnuPG. Just using OpenSSL is a challenge for many, because they don't properly understand the concepts behind Public Key crypto. But replicating SSL/TLS - that is by far out of the technical and financial reach of most developers and their bosses.
So - just take OpenSSL and integrate it properly into your product. Make your boss send you to a training regarding the basics of PK Crypto, if your experience is only superficial. Or hire an known expert and let him show and explain you how to do it.
Read and try to understand Schneier's Applied Cryptography, play with the gpg and openssl command line programs, read code samples. This is not a "quick addition of capability", it is actually the painful and time-consuming acquisition of expertise. Management idiots don't appreciate this. Redmond fucked up their crypto efforts in the first iteration. Now they are somewhat better.
Fire sail. Bruce Willis is getting old to save our asses.
Um... 2000 dollars in a perfect world of milk and honey.
Set up a test network
Do all internal testing and documentation of the system
Get all docs verified by the customer and signed off on
Hold a factory acceptance test, get everything verified and signed off
Travel to the oil rig.
Oh, your tech IS certified for offshore work right? No? Oh, send him on the full week 5000 dollar training course first then.
Install and get everything verified in real system
Oh, and this has to run on Windows 2003 R2 by the way, that is the chosen platform for the HMI...
Easily comes to 50k USD doing this job. Not that big a cost in comparison to other expenses, but it is a bit of an expense to justify to someone who knows nothing about security... sigh
I've seen air gaps cause problems, especially when they're between the user's ears.
Of course one solution is to install another air gap between the eyes, but this is generally frowned upon by both HR and the janitors.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I call bullshit. Linux and Android are not the same thing. Saying "Linux is no more 'invulnerable' to attack & exploit than Windows is" is just plain wrong.
"Worse, many of these systems are unneccessarily connected to the Internet,"
Instead of spending the oodles of money for those worthless airport scanners, department of defense boondoggles, and useless shit, flame, etc...
we could have spent the money to develop an ultra secure replacement for hardware controllers, and manditory audits of mission critical systems, and unplugged needlessly internet connected components from the internet.
Instead we spent our money foolishly on shit we don't need.
I am calling for the same people in the NSA who do the SHA and AES competitions to do something along these lines, because they've already proved themselves competitant, where other branches fail.
Somebody load us up the bomb.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Or start your own magazine.
I did consider bringing out "Management Fad Monthly" but I was worried that some silly bugger might try to implement an obvious spoof like TQM, stand-up meetings or employing Indian programmers, and then where would we be?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
As far as I am aware, session key is a feature of cryptosystems employing either public-key encryption or some secure key exchange scheme to distribute keys in a changing topology of communicating nodes. Do you actually need to do this in a fixed industrial setup with specialized HW? As far as I know, the military has no problem with using key fill devices. (Just asking, I don't pretend to be an expert on that, just an interested reader.)
Ezekiel 23:20
What do you think will happen when managers learn how much software that gets signed off by a PE costs and how long it takes to develop?
Hey, stop that! You're threatening my job, because coming up with harebrained ideas how to hack our security IS my job!
And damn, I love it!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.