The Myth of Rip and Replace in SCADA and Industrial Control Systems #cybersecurity #pauto #SCADA @tofino @digitalbond
Recently, Eugene Kaspersky made headlines about designing an operating system for industrial control systems. It doesn't seem to have gone anywhere, as you might expect.
Famously, Dale Peterson from @DigitalBond has been demanding for some time that asset-owners simply rip-and-replace their antiquated, hard-to-protect control systems with new, more cyber-secure systems. He calls people who disagree with him, "SCADA apologists." SCADA apologists appear to be those who say that it is so hard to upgrade SCADA (or other industrial control systems) security that it shouldn't be a priority now.
Recently, he referred to security expert Eric Byres as a SCADA apologist. Byres fired a blistering blog post back at Peterson: https://www.tofinosecurity.com/blog/%E2%80%9Crip-and-replace%E2%80%9D-approach-scada-security-unrealistic?utm_source=hubspot_email_marketing&utm_medium=email&utm_content=6663731&_hsenc=ANqtz-_TpK4YyggCDLxYe1bsNJCiZCTWwQtNj2ej3iqopOw6t3bIfilJS9Mv0pyLYaj-BzXIOLG7o49DbdauQLf-TxlT8rag7Q&_hsmi=6663731
The fact remains that any practical rip-and-replace strategy is a myth.
There is effectively no way to pay for a universal security strategy that consists in ripping out systems that are operating correctly and doing what they were designed to do, simply to replace them with something that might be more cyber secure.
And the jury is still out on the vendors producing more inherently secure products across the board, too. Siemens' new S7-1500 and the other "new generation" controllers with cyber security built into the design are barely on the market, and we won't really know for a year or so whether the designs improve security or not. One sincerely hopes they will, but...
I enourage people to read Byres' blog post, above. His main point is that just making products more secure (using ISASecure or other methodologies) by themselves won't dramatically improve security.
Neither will infighting between respected cybersecurity authorities.