Sunday, October 29, 2017, CyberWire published their “The Week that Was, 10.29.17:…. The weekly update provided a short summary of the ICS Cyber Security Conference. With CyberWire’s permission, I have included part of their Conference summary:
“On Tuesday ICS thought leader Joe Weiss, of Applied Control Solutions, delivered his annual "State of the State" address. He sees widespread security challenges for the industrial control system field as a whole. He deplored the ways in which IT security has taught the ICS community lessons he believes more misleading than helpful. "Our challenge isn't information assurance; it's mission assurance." The engineer's job is safety and availability. Fundamentally the engineer doesn't care whether a disruption arises from malice, error, or act of God: as long as it disrupts operations or affects safety, it must be dealt with. The consequences of failing to do so can be not only expensive, but in the worst cases lethal, and this is where he thinks a target fixation on protecting data can lead those responsible for industrial cybersecurity.
Other speakers agreed that analogies from the IT world could prove misleading to those concerned with ICS. As one of the speakers put it in a bit of quick advice to the security community, "Please forget fail fast. There is no agile. Failure is not an option."
So how susceptible is critical infrastructure to catastrophic failure? In Atlanta we saw a division between optimists and pessimists, between those who see resilience and those who see fragility. The engineers who operate plants and worry about doing so safely and reliably tend to be fall into the more pessimistic camp. They're very much alive to the dependencies, the possibilities of cascading failure, and the difficulty of keeping complex systems in equilibrium.
The cyber operators tend toward the optimistic—they're engaged, at least imaginatively and sometimes actually, in thinking about attack. And they perceive all of the attackers' difficulties so familiar to military operators. To be sure the attacker has the initiative, and can choose the time and place of engagement. Beyond that the defender has advantages, too: it's not for nothing that conventional tactical wisdom looks for a three-to-one advantage before going on the attack.
But perhaps some of the usual tropes about mutual misunderstanding between those concerned with IT and those concerned with OT are simply misguided. As the conference closed, participants were reaching consensus that the way to understand the issue is in terms of "before the packet" and "after the packet." What goes on physically before the packet is where the systems' ground truth is to be found, and it's there one finds the unaddressed security (and safety) issues.”
I will be providing my thoughts on the Conference later.
Joe Weiss
