We are increasingly running into situations where asset owners are cobbling together multiple security controls to do unnecessary and risky functionality they would never consider in the past. The most common example is providing the ability to manage and configure field devices from any computer on the corporate network.
A firewall and VPN is proposed, followed by strong two-factor authentication, followed by terminal services, followed by … Security controls are added to security controls with the idea that the right amount of security will make this an acceptable practice.
If this is the case, why do we bother with control centers? Why don’t operators simply run the HMI on normal PC’s on the corporate network? I know this would seem like heresy to asset owners, and it should. However there often isn’t similar concern in authorized users being able to manage and configure any and all field devices from a corporate PC.
The pushback we get is a challenge to identify the vulnerability that will lead to the risk, and if we identify a vulnerability the answer is to add another piece of security hardware or software. Unfortunately we don’t know what we don’t know. Look over the last year and you will see latent vulnerabilities discovered that allow remote control in security devices such as SSL implementations and firewalls. Lining up all those security controls actually increases the attack surface. It reminds me of my crypto days where I would see a budding cryptographer develop an extremely complex algorithm that would all collapse down to an 8-bit exhaust because of a poorly placed weak function.
To make matters worse the reason for taking this risk is more often than not convenience. We are a proponent of having a secure method for emergency remote access because there are operational reasons this is required. However we rarely see a valid operational reason that an engineer or maintenance personnel cannot work on a dedicated system in a secure area as a regular practice.
This is not saying that data can not be pushed out from the control system to the enterprise network through a DMZ. This is a sound practice and often represents most of the required access from the corporate network. But control and access that will affect control should be restricted to logically and physically secure control systems.
On this issue call me a Luddite.