Earlier this month I spoke at the European Smart Grid Cyber Security and Privacy conference in Amsterdam. My theme was, “What are people telling me in my research?” and the focus was industrial control systems. I suspected that this would be well-received because that’s what people always ask me: What are people telling you? And I was right.
The answer, though, was “Many different things.” I reviewed results from about 30 research interviews where I had asked the question, “What is the #1 worst problem facing Industrial Control System Security?” My research subjects included utilities, systems integrators, cyber security vendors, industry specialists, and device manufacturers. From those 30 interviews I received 23 distinct answers, ranging from “Too much Linux!” to, not surprisingly, “There’s no consensus.”
On the positive side, quite a good mix of well-tested and new breed technology has been installed into ICS networks, including ruggedized devices, identity management, role-based access control (RBAC), ICS-aware network security, unified threat management (UTM) systems, data diodes, set-and-forget technologies, application whitelisting, antivirus, lots of encryption, hardened operating systems, security event management, and hardware security modules. That’s a long list. In fact, when I ask the question, “What technologies for control system security are missing?” the answer is often: none at all.
Unfortunately, some really important things are missing. In control systems it’s extremely rare to find a cyber security architecture. For that matter, many control networks are not even mapped accurately, as they may have evolved over several decades. Other than within defense agencies, I have not encountered any control systems with a true asset-based risk analysis – nor have the research contacts that I’ve asked. Change management and patch management remain incredibly challenging. And there is nothing yet like a NOC or SOC for a control network, though that cannot be too far away, since enterprise networks already do them frequently and well.
So if we combine the positives and the negatives, our present situation is about like this art installation of a deconstructed Honda Formula 1 car. We’ve got great components, but we’re missing the glue. There’s no way, yet, to make all those great components work together to achieve the desired result.
A recent special report in the Financial Times characterized cyber security as “a war marked by fatalism and denial.” That’s unfair given the amount of hard work being done by so many talented and committed professionals in control systems cyber security. But yet – we present the impression of having very little in place. This month’s hacks against water utilities are yet another stain on our record. And it is our record we’re talking about here – not some government agency, not some control system vendor. The public only discerns that cyber security isn’t protecting the infrastructure – they are not interested in the details. We succeed or fail together.
Until we can (a) glue together these great components into solutions that really are end-to-end, and (b) stop viewing the problems as someone else’s, we should resign ourselves to more gloomy headlines. And executives continuing to ask what exactly they are getting for their security dollar.