“Rip and Replace” Approach to SCADA Security is Unrealistic
As a reader of this blog you likely don’t need to be convinced that SCADA and ICS Security need to be greatly improved. There are several ways to go about accomplishing that, and I am glad that there is a healthy dialogue underway on this topic within the industrial security community. This includes the back and forth between myself and Dale Peterson of Digital Bond, that continues with this article.
When I attended Digital Bond’s S4 Conference earlier this month I heard Dale talking about “SCADA apologists”; however, I didn’t think he was referring to me. Then, in a blog article posted yesterday, he says “I’m disappointed that Eric went the SCADA apologist route”.
I am writing today to restate my position on what I believe needs to happen to improve SCADA and ICS security. I will also clarify where our own Tofino Security products fit in.
Different Perspectives on Achieving Improved SCADA Security
When I heard Dale use the term “SCADA apologist” I took it to mean those people who are saying it’s so hard to fix SCADA Security and are not prioritizing getting it done now. Dale particularly points to automation vendors in this regard.
I have been clear in all of my public speaking engagements and in my writing that:
- Automation vendors need to improve the security of their products
- They need to be working on this NOW
- Ultimately, security capabilities will be built into automation devices
Thus, Dale and I agree on these points.
Where we disagree is:
- The timeframe that’s possible for this to happen
- How improved cyber security capabilities will be adopted into existing plant facilities
Dale Peterson is calling on organizations to “rip and replace” all existing plant floor devices in the next three years with products that are more secure, Eric Byres says this is unrealistic.
Call Me a SCADA Realist
In Dale’s ideal world, organizations will “rip and replace” their existing PLCs, HMIs, DCS, ICS and RTUs with more secure devices in one to three years. This does not add up because:
- The value of the controllers alone, in use in the world, are in the billions
- Controllers typically have a useful life of 10-20 years
This amount of equipment simply won’t be replaced in 1-3 or 1-4 years from now. Call me a SCADA realist if you like, but my approach to the situation takes into account the magnitude of the problem and the economic realities that surround it.
I also take into account the reality of the timeframes for making a seismic change in product features. Developing, deploying and supporting new automations products with improved cyber security requires more than a three year cycle. Similarly, developing and approving new and more secure protocols, the goal of Reid Wightman who tested the Tofino for the S4 conference, also takes time.
My realistic approach is to provide products that greatly improve the cyber security robustness of SCADA and ICS systems today. It is also to work with automation vendors to have this technology embedded in their core products over time.
Tofino Security Products Secure Systems
Today Dale’s recent article calls out what he says are three issues with using Tofino Security products. Here they are with my response to them:
|Dale’s Punch||My Counterpunch|
Tofino products do not compensate for insecure protocols and endpoint security is still needed.
Tofino Security products make it a lot harder to attack endpoint devices.
“Tofino Security provides an awesome security appliance that does the best possible job with the current protocols. It did an excellent job of securing the Modbus protocol, preventing disallowed function codes from getting through.
Tofino does not protect against tunneling attacks.
For these attacks to succeed the attacker has to have access to the host on both sides of their firewall. If they have that access, then any level of security is insufficient. Better protocols and cryptographic solutions will be defeated too.
There is no such thing as perfect security and we recommend our products be used as part of an overall Defense in Depth approach. This does not negate the value of security our products provide.
“Putting a Tofino in front of every critical infrastructure seems like a waste of time and money.”
As Reid Wightman pointed out in his presentation about the Tofino Firewall, it costs half or less of the price of many PLC CPUs.
Tofino Firewall’s do not need to be in front of every single PLC. Customers often put a Tofino in a cabinet containing multiple controllers.
We recommend having them in front of zones of equipment with similar security requirements as per ISA/IEC 62443 security standards.
Kudos to Dale Peterson
I commend Dale for his efforts to make SCADA Security a priority for automation system vendors and customers. I am totally in synch with him in this regard.
However, the blueprint for making it happen involves a transition phase between insecure devices and secure devices. My philosophy and the Tofino Security product line take the transition phase into account.
What do you think? Is “Rip and Replace” over the next three years the best path to improved SCADA and ICS security or not?
Related Content to Download
Note: ANSI/ISA-99 Standards have recently been renamed ISA/IEC 62443 Standards.
- Digital Bond blog: S4: Wightman’s Tofino Raves & Limitations
- Blog: Digital Bond Testing Proves Tofino Hardens Vulnerable SCADA Protocols
- Blog: Defense in Depth is Key to SCADA Security - Part 1 of 2
- Blog: Defense in Depth: Layering Multiple Defenses - Part 2 of 2
- Pike Research blog: Are Cyber Security Researchers Burning Down the Village to Save It?