Cusimano points out, "A lot of effort is going into protecting the control system from the business network (or vice versa, depending on your perspective). This definitely makes sense. Although a significant challenge, the biggest threat to control systems is all the 'side channels,' meaning the other ways that digital information can get into the control system besides through the business network. In general, there is a real false sense of security out there being attributed to the firewall between business and control. First of all, most of them [the firewalls] are misconfigured. They are put in, and then everyone requests ports to be opened so their applications can work, and after a while, they look like Swiss cheese. Second of all, they only represent protection of one path into the control system. USB sticks, maintenance laptops, CD/DVDs, remote access, modems, wireless access points—all represent just a few of the many ways a control system can be compromised."
Mike Baldi, security architect for Honeywell Process Solutions, agrees, "There is no easy answer for this. Systems have to be protected from the intentional external attack and from the intentional or accidental insider attack. Locking down USB devices and CD/DVD readers significantly improves the security of the system. Using defense-in-depth, least-privilege-required and separation of duties strategies will greatly reduce the attack surface. Once a system is installed securely, it must be monitored continuously for indications of non-normal events that could signal a cyber incident against the system."
From his perspective in enterprise security and government, Guida says, "I am honestly less worried about another country attacking us, with the exception of North Korea, than I am about the possibility of some miscreant, like a spin-off of 'Anonymous,' just deciding to screw with peoples' lives and bring down some infrastructure 'just for the hell of it.' Unlike a country-level attack, a miscreant attacking really is more likely to be just hacking/intrusion over the Internet. A country-level attack could include physical break-in or sophisticated social engineering or traditional spy-level stuff. If systems are not exposed over the Internet or exposed within the company's network so that a successful attack on that network could leapfrog to systems attached to it, that would greatly reduce the attack surface to miscreant attack."
Is Security Another Y2K Fizzle?
There are many who believe that because nothing really bad happened with Y2K, nothing would have happened, and the whole exercise was a farce. Many of those same people, usually senior corporate leaders, appear to believe that cybersecurity in industrial control systems will turn out to be a similar fizzle.
Byres says, "Some people think it was a big waste of money because nothing fell apart on New Year's Eve 1999. But one reason that nothing went wrong was that people really did their homework to detect the Y2K issues up-front. So security could be like Y2K in the fact that if we do a good job, then people will say we need not have bothered because nothing went wrong."
The prevailing opinion from ICS security practitioners is that it's not like Y2K.
"Y2K was a one-time clock issue that had a very specific fix," says Weiss. "ICS security cannot be fixed with any 'silver bullet.' ICS security issues are real and have had devastating consequences to date. A nation-state targeted attack against the electric systems, natural gas pipelines and so forth could be devastating to this country."
ICS Is Different, Way Different
Guida explains ICS IT: "In an enterprise, you have an infrastructure, endpoint devices and humans with all their foibles. In an environment with PLCs and SCADA systems, you have an infrastructure, endpoint devices, humans and embedded systems. So the complexity of the latter is worse—and arguably much worse—because you may not even be aware of where your embedded systems are, what vulnerabilities they possess and how they are exposed."
Mattes explains, "There's a different prioritization between the two environments [ICS and enterprise IT]: The classic availability, integrity, confidentiality (AIC) versus the CIA perspective. ICS security is much more than standard systems, software and processes. Almost everything about ICS security tends to go against IT standards and processes. ICS environments are where enterprise IT was 10 to 15 years ago. We're talking about a high ratio of labor hours to system administrate and support, a lack of management tools, a lack of security capabilities, standards and products, with dynamic networking still in its infancy, and a lack of auditing and compliance capabilities, all with poorly designed software and interfaces. IT personnel need to understand the environment and accept that these environments are often the revenue-generation core of the enterprise."
A SCADA tech for a municipality in Ontario, Canada (who asked to be anonymous) put it pithily: "Explaining ICS IT to an enterprise IT pro is a waste of precious time. If you feel so inclined, see professional help."
For those still inclined, he laid out some rules:
- You cannot interrupt the process. No. Never.
- Do not touch. Ever.
- Here is a nickel. Don't spend it all in one place.
- Protect the process for the next 40 years against any and every eventuality including, but not limited to, the operator running the process, yourself, the equipment which runs the process, and any and all unexpected, uncommunicated, unplanned, last-minute or instantaneous changes to the process.
- Ensure that the documentation suite is clear, concise and understandable by a fourth grader and no more than one page long.
- Now hide all the documentation.
- Expect management to rotate every two years.
- Expect continuous staff rotation.
- Expect you have no time to test.
- Expect changes must be done on live systems on the fly without a safety net.
- Expect there are no spares.