Some observations on the differences between enterprise and SCADA security

I posted this earlier on the new SCADASEC listserv and I thought it deserved a wider audience.... If what you are doing is SCADA security, instead of IT Enterprise security, I would like to offer two observations. The first is that SCADA security has a somewhat different purpose than enterprise security. Both are certainly aimed at protecting the assets of the corporation or utility from attacks, whether interior or exterior. But enterprise security seeks to protect the servers primarily, and reacts to attacks by cutting off what external or edge devices the security people think they need to. SCADA security, however, seeks to protect operating systems _while they are continuing in operation_ and cannot shut down edge devices (the definition of these is somewhat different, too, between SCADA or plant security and IT enterprise security) unless nothing else will do. When we structure a defense position, then, we must look at this critical difference. You can shut down most, if not all, enterprise functions for significant periods of time with little harm. You cannot shut down a plant or a SCADA node without critical repercussions. The second is that it is vital to IT Enterprise security (and quite rightly so) that every guarded entity, be it a server, a switch, or a computer, have the same level of software revision, and firmware revision. On the plant floor, or in a SCADA implementation, it not only is not necessary to do this, it can very seriously be not only counterproductive but also actively harmful to do this. At the ARC Forum last week, Boeing IT experts, Craig Dupler and Steve Venema, explained in detail how Boeing realized the truth of these two observations, and what they have been doing for the past five years to differentiate and distinguish plant and enterprise security systems. I hope to have them present this in article form in _Control_ in the coming months. Any security expert who has not carefully internalized these significant differences between enterprise IT security requirements and plant and SCADA security requirements can actually be an active danger to the plant or SCADA implementation-- as dangerous as an uncontrolled attacker. Walt