ICS security

Finding a way to determine the right level of investment in ICS and SCADA Security has been an ongoing challenge for industry. In an earlier article the Total Cost of Ownership approach for calculating investment level was described. Today I present another method called Value at Risk (VaR).

Virtual Local Area Networks (VLANs) should not be counted on as a security feature of modern managed Ethernet switch networks. This is now common knowledge, both in IT departments and also in the Industrial Control Community. Indeed in Eric Byres’ article Why VLAN Security isn't SCADA Security at all he points out that switches with VLANS are not firewalls. But are VLANs the boogeyman of industrial control system security...or are they underestimated helpers?

Last week both Tofino Security and Belden participated in the Control Systems Integrators Conference in Scottsdale Arizona. The conference is organized by the Control Systems Integrators Association (CSIA) and this year the event boasted 500 System Integrator companies in attendance.

In my earlier column on the philosophy of Defense in Depth, I discussed how relying on a single defensive solution exposes a system to a single point of failure. No matter how well designed or strong that single defense is, either resourceful adversaries or Murphy’s Law eventually results in the defense malfunctioning or being bypassed. When that happens, the entire system is wide open to attack.

Recently Rob Hulsebos wrote an article for this blog where he raised the perennial problem of programming errors contributing to security vulnerability. I have a newsflash for you - this isn’t new. It may be a new concept to some in the world of Industrial Control Systems, but it’s been a problem for software engineers since about 5 seconds after the first ever program successfully compiled.

It has been almost 25 years since I first started working in the industrial network field and 15 years since I first focused on SCADA and ICS security.  From the start, I have been amazed at how difficult it is to get people to see the whole picture.

For example, control engineers know what a PLC or control loop is, but constantly underestimate the impacts that cyber threats have on their industrial processes.  IT professionals understand the risks, but often don’t understand the processes and components.

The furor over the Siemens vulnerabilities and the fear that Son-of-Stuxnet could be around the corner has raised awareness of the need for cyber security to be taken seriously by the process and critical infrastructure industries.

In reviewing material about Industrial Control Systems (ICS) there is one element that, in my opinion, is the most important factor to consider - especially in light of the recent hubbub about Stuxnet and ICS Security. That element is human centered design.

Every aspect of the control system life cycle, whether it is Concept, Design, Construction, Operation, Maintenance, Safety or Security, includes the human element. It is nothing new, but we all see time and time again where human factors, rather than technical factors play a major role in security and or safety issues.