Much has been written negatively about industrial control systems by the open press and IT security individuals. The non-control system community views control systems in the context of traditional IT. Consequently, the security requirements are not based on what it takes to secure a control system against control system threats but for IT systems used in control system applications (eg, Windows servers and PCs) against IT threats. The design requirements for control systems were performance, reliability, and safety. Security is not only a new constraint but often goes in the opposite direction of reliability and safety. Control systems do their jobs very well. When is the last time you heard of an IT system working at the 99+% reliability level for more than 10 years? Yet, this is the norm for control systems.
Stuxnet is a great example of the conundrum between control systems and IT. Many people focused on the Windows zero-days, but they were simply a delivery vehicle. The warhead affected the controller by changing the controller logic. This was an unexpected control system attack for which no IT security solution applies. The security flaw exploited by Stuxnet did not directly affect performance and safety. Consequently, it was not addressed by the control systems community. Moreover, because it was a design flaw and not patchable DHS didn't even call it a vulnerability. Changing the default passwords may work in an IT environment but not necessarily in a control system environment. In fact, changing the default passwords in a programmable logic controller (PLC) could effectively shut down the PLC (not just in Siemens but other vendors).
Because of the inability to meet IT's desires, control systems are accused of not doing what they were not designed to do. What is important is to learn how to secure them while allowing them to continue to do their jobs - this is rocket science. Because many control systems, especially field devices, have no security and may not be patchable, it is critical that they be secured by policies and procedures. This means CONTROL SYSTEM cyber security policies and procedures, not IT.
Arguably, there are only a limited number of people who are actually control system cyber security experts. However, those people are generally not consulted when the subject of control system security is raised. The Enduring Security Framework (ESF) Operations Group not only has no control system experts, they haven't even included control system suppliers in the mix. The recent DOE and DHS roadmaps are vague and do not address the control system cyber security issues actually being faced. DOE's draft Electricity Sector Cybersecurity Risk Management Process Guideline does not distinguish between IT and control systems. NIST's National Initiative for Cybersecurity Education (NICE) does not address control systems. The recent MIT report on the future of the electric grid does not adequately address cyber security of control systems.
We still have a long way to go.
Joe Weiss
