Just when it seemed as though we were finally getting people at the top of corporations and government to listen about the differences between IT and industrial control system (ICS) security, the Obama Administration's executive order mandating improved cybersecurity for critical infrastructure seems to have taken us all back five years.
What do I mean? It's all about the money.
At the same time as the executive order was issued, it was revealed that critical infrastructure security would be exempt from sequester cuts. There is an entire industry, nicknamed "the Beltway Bandits" for the fact that these companies are mostly located inside the Washington D.C. beltway and, therefore, very close to the seats of power, that has smelled blood—or rather money.
These Beltway Bandits are the people that regularly consult for the Department of (insert name) and have contracts that amount to billions of dollars.
But they don't know anything at all about manufacturing or about cybersecurity in the industrial control system environment. So we have people saying, once again, that there is no difference between IT cybersecurity best practices and what we should be doing for critical infrastructure cybersecurity.
We have people who should know better even saying that those of us who do understand the difference are FUD-mongers for spreading fear, uncertainty and doubt about the likelihood of a cyber attack or other cyber incident. Well, I want you to be afraid—afraid enough to do something substantial about protecting our critical infrastructure.
We even have people saying that critical infrastructure security isn't important because we really, really need to protect the banking system. Yeah.
Why do we need to protect the banks? Because, as bankrobber Willie Sutton remarked, that's where the money is. There's no money in critical infrastructure—that's why we haven't spent any real money on it in 50 years.
And, because the Beltway Bandits and the people who hope to get some trickle-down consulting money from them don't know how to do critical infrastructure security, they're acting like a tribe of monkeys faced with a threat to their existence. They are screaming, jumping up and down and throwing monkey poo.
But all the monkey poo that the Beltway Bandits can throw at those who've worked for years to develop a consistent theory of ICS security can't evade the truth; it can only obfuscate it—cover it with monkey poo, if you will.
The truth is that, while isolated parts of the country can, and have, survived storm events that have shut off the power for days, it is simply not possible for the country and its economy to survive attacks on power plant turbines and oil refineries. These kinds of facilities have major components that can be damaged or destroyed that can take two years or even longer to replace. Think about Los Angeles or Detroit or New York City or Atlanta or Houston without power, for not 10 days, but for two years.
Once again we come to the major differences between IT and ICS security. IT security is about CIA—confidentiality, integrity, and availability in that order. ICS security is about AIC, availability, integrity and confidentiality—in that order. Therefore, attacks simply can't be treated the same way.
All the monkey poo in the world will not hide the fact that IT and ICS security are different, and the government should be handing out money to people who actually know what they're doing, not just to the usual suspects who suck billions out of the federal budget annually because they know the players.
But human beings are still monkeys at bottom, so be prepared for lots and lots of monkey poo.