SCADA Security: Losing the Battle to Efficiency
Last week I received a humorous note from Dr. Paul Dorey directing me to two side-by-side lead articles in the latest Automation.com eNewsletter, Programmable Automation Controllers (PAC) Update.
Really, Really, Really Cyber Secure
ControlGlobal, August 2011
By Walt Boyes
“It is now clear that machine-level, embedded controllers, such as PLCs, PACs and DCS controllers are vulnerable from both inside and outside the plant.”
Automation & Control Getting iPhone App Enabled
Design News, July 2011
By Alexander Wolfe
“Programmable logic controllers are beginning to connect beyond the confines of the factory floor, via iPhone Apps that display status data or even control PLCs directly via over-the-air commands.”
As Paul noted, this “expresses the tensions perfectly!” On one hand, industry is becoming concerned about just how vulnerable control systems have become to outside attacks. At the same time, new tools and applications that increase that exposure are appearing daily.
Security - Ease of Use and Efficiency’s Poor Cousin
It is a well-proven fact that human beings are terrible at making good judgments about risk. We badly under estimate the risks of very infrequent, but serious events (black swans). We lean toward decisions that are beneficial or efficient in the short term, as long as the consequences are sufficiently long term. We underestimate the risks for things we can control (like driving a car), but over estimate the things we can’t control (like being in a plane crash).
This is not just a fact for security related decisions. We are bad at any risk-related decision – health, personal safety, financial planning and so on. Consider the poor smoker – neither gruesome images of cancer victims nor graphic warning labels prevent them from opening those packs and enjoying their next smoke... Only when a health crisis is upon us, do most of us modify our behaviours.
For SCADA and ICS security the story is the same. In the battle between making a task easier and making a task more secure, nine times out of ten, security is going to lose.
Taking a Page from Safety
Of course, safety and security do triumph sometimes. Smoking rates are falling, workers in factories are more safety aware and driving deaths are declining (at least in the developed world).
Typically these wins come from one of three causes:
- Sustained educational programs.
- Enforced management of behaviours.
- Simplified risk reduction technologies.
Consider driving deaths due to car accidents. The combination of massive educational programs on the risks of driving without a seatbelt, laws requiring the wearing of seatbelts, and the introduction of improved safety technology (such as antilock brakes and air bags) in automobiles have all been needed to drive these deaths downward. All three have been critical legs of the solution. All have been expensive and slow to see significant results. But they do get results.
ICS and SCADA security needs to take a page from the lesson book of safety, especially industrial process safety. Significant progress has been made in this area over the past two decades:
- Years of repeated safety education programs have slowly made safety top of mind for anyone entering an industrial site.
- Well-designed standards like IEC-61805 (Functional safety - Electrical/electronic/programmable electronic safety-related systems) and IEC-61511 (Functional safety - Safety instrumented systems for the process industry sector) have led to well-designed safety strategies.
- Significant improvement in the technologies and ease of use for safety integrated systems (SIS) has made deploying a safe process an economically viable reality.
All three have been critical to achieving safer plants and factories.
Winning the Battle Requires Simple, Easy to Implement Cyber Security Technology
We are not going to be successful at making our factories and infrastructure more secure unless we embrace education, standards and technology as the three legs of the solution. Furthermore, each leg needs to be well-designed. Education that is sporadic, poor regulations that reward compliance rather than results, or technology that is complex and cumbersome will doom the quest for better security.
In regards to technology, the battle between security and efficiency has to end. These two characteristics need to become one, that is, the cyber security solution itself must help the plant become more efficient. The technology should allow both the business and its engineers to achieve their goals.
Robust yet simple and easy to implement cyber security technology, sustained education and well thought out standards are all required to end the battle between security and efficiency – and truly protect our plants and critical infrastructure.
Related Content to Download
Note: you need to be a member of tofinosecurity.com and logged in to have access to the document below. Register here to become a member.
Article - "Safety and Security: Two Sides of the Same Coin"
Information about Human Judgement Regarding Risk
Why the Human Brain Is a Poor Judge of Risk
Wired News, March 22, 2007
Cognitive biases potentially affecting judgment of global risks
Singularity Institute, August 2006
Information about Safety
- IEC-61511 (Functional safety - Safety instrumented systems for the process industry sector)
- IEC-61850 (Functional safety - Electrical/electronic/programmable electronic safety-related systems)
- exida - Control System Security blogs