If you ask users of industrial control system if they meet their design and performance requirements, I think you will find the answer is a resounding yes. However, if you ask security personnel if they are secure, you will probably get a resounding no. What needs to be understood is that control systems do a very good job of what they were designed to do – performance - but a poor job of not doing what they weren’t designed to do - security (notice the double negative). Unfortunately, bolting on security can, and has, caused unforeseen problems. Moreover, it is not clear these bolt-on security solutions have actually provided additional security. I continue to believe control system cyber security is primarily a “people problem”. Until the culture changes from the top down and appropriate control system policies and procedures are developed, I see little chance to significantly improve cyber security of industrial control systems.
Joe Weiss