After what seemed like we were finally getting people at the very top of corporations and government to listen about the differences between IT security and industrial control system (ICS) security, the promulgation of the Obama Administration's executive order mandating improved cybersecurity for critical infrastructure seems to have taken us all back five years.
What do I mean? It's about the money, stupid.
At the same time as the executive order was issued, it was revealed that critical infrastructure security would be exempt from Sequester cuts. There is an entire industry, nicknamed "the Beltway Bandits" for the fact that these companies are mostly located inside the Washington DC beltway and therefore very close to the seats of power, that has smelled blood...or rather money.
These are the people that regularly consult for the Department of (insert name) and have contracts that amount to billions of dollars.
And they don't know anything at all about manufacturing. They don't know anything at all about cybersecurity IN THE INDUSTRIAL CONTROL SYSTEM ENVIRONMENT.
So we have people saying, once again, that there is no difference between IT cybersecurity best practices and what we should be doing for critical infrastructure cybersecurity.
We even have people saying that critical infrastructure security isn't important, because we really really need to protect the banking system. Yeah.
Why do we need to protect the banks? Because that's where the money is. There's no money in critical infrastructure...that's why we haven't spent any real money on it in fifty years.
And because the Beltway Bandits don't know how to do critical infrastructure security, they are acting like a tribe of monkeys faced with a threat to their existence.
They are screaming, jumping up and down and throwing monkey poo.
But all the monkey poo that the Beltway Bandits can throw at people like me, Eric Byres, John Cusimano, Joe Weiss and all the others who've worked for years to develop a consistent theory of ICS security cannot evade the truth, it can only obfuscate it. Cover it with monkey poo, if you will.
The truth is that while isolated parts of the country can, and have, survived storm events that have shut off the power for days, it is simply not possible for the country, and the country's economy, to survive attacks on things like power plant turbines and oil refineries. These plants have major components that can be damaged or destroyed that can take two years to replace.
Think about Los Angeles or Detroit or New York City without power for not 10 days but 2 years.
Once again we come to the major differences between IT security and ICS security. IT security is about CIA-- confidentiality, integrity, and availability in that order. ICS security is about AIC, availability, integrity and confidentiality-- and in that order. If a computer on an enterprise network is infected with a piece of malware, IT best practice is to isolate that computer, get it off the network, and shut it down and clean or replace it to remove the malware. Now let's say that that computer is the computer that is running the distributed control system that operates a major unit in a refinery in the Houston area. Shut the DCS down? Not hardly.
So, all the monkey poo in the world will not hide the fact that IT security and ICS security are different, and the government should be handing out money to people who actually know what they are doing, not just to the usual suspects who suck billions out of the Federal budget annually because they know the players.
But human beings are still monkeys at bottom, so be prepared for lots and lots of monkey poo.
