Control systems are systems of systems that are purpose-built, often with limited computing resources. Control systems were designed to meet safety and reliability criteria which require open, interoperable systems and design requirements addressed expected system interactions. Control systems were/are designed with safety, integrity, and availability (SAI) as key requirements with confidentiality (C) a minor consideration which is inconsistent with the security triad of CIA where C is most important. Often, control systems are designed with features such as hard-coded default passwords that, in hindsight, can introduce cyber vulnerabilities. Without addressing cyber security as part of the design process, such as Bedrock Automation has done, it is difficult to establish a root of trust which is needed for cyber secure systems. Bolting on cyber security tools as an after-thought can have unintended consequences. As an example, patch management is different for a control system than for IT systems where generic Microsoft patches can be applied. Because of this concern, ISA99 has been developing guidance for control system patch management – ISA-TR62443-2-3, Patch Management in the IACS Environment.
A short sampling of problems with bolting on/adding cyber security to the control system environment without adequate control system/system interaction considerations include:
- multiple cases of manufacturing lines being shut down by using inappropriate (IT) patches
- cyber security tool shutting down a SCADA system
- loss of view and availability of a turbine from a bad patch
- chemical plant shutdown from changing a default password in a substation protective device
Bolting on/adding security to legacy systems may be necessary but it requires a detailed understanding of potential control system interactions which may not be either an IT or OT expertise. Without appropriate understanding, the cure can be worse than the disease.