Every year, Help Systems surveys the IBM i Marketplace to determine trends for the platform. Over 500 people from around the world participated in the third annual survey, and the results were just released and can be found here:
3rd Annual Help Systems IBM i Marketplace Survey
One of the highlights for this year is indicated in the chart below which shows top concerns for IBM i shops as they plan their 2017 budgets:
Security is the number one concern with 71.3% of respondents placing it at the top of the pile. This is more than double the results from last year which had security at 33.1%.
Readers of this blog will note the number of times security has been covered, and concerns over security are not unique to IBM i. What has been unique to IBM i, is the belief that the platform has never been hacked. This may no longer be the case.
Verizon has a RISK (Research, Investigations, Solutions and Knowledge) team that is called in by organizations around the world to investigate and help remediate security violations. In 2015 they investigated over 500 security breaches in over 40 countries. The report for 2016 covers one breach that involves IBM i. The report makes for fascinating reading and can be downloaded here:
The breach involved a water supply and metering company where hackers used passwords, user profiles and internal IP addresses for the backend IBM AS/400 (note the name as the platform being used was more than 10 years old). The credentials were stored in plain text in an initialization file (.ini file) for a front end payment application webserver that was directly connected to the backend AS/400. They were able to use a known vulnerability in the old credit card application to do some damage.
The hackers were able to modify PLC (Programmable Logic Controllers) controlled by the AS/400 applications to adjust the chemicals being introduced into the water supply that make the water safe to drink, and the flow rate. They were also able to access over 2.5 million records stored containing customer PII (Personally Identifiable Information).
There were a number of lessons learned in this breach; first and foremost you need to keep the servers and applications updated. The AS/400 was also directly attached to the Internet thus exposing the internal network. Obviously passwords and IP addresses should not be stored un-encrypted in clear text files. Finally there was only a single administrator for the AS/400. Duplicate hardware, software, and network connectivity is standard practice these days, but having redundancy in personnel is also worth considering.
Mid-Range can help. Contact us for a Free Security scan.