Joshua Corman of IBM/ISS gave a presentation at Interop Las Vegas yesterday titled “Unsafe at any speed: 7 Dirty Secrets of the Security Industry”. Here’s the Network World report. The title alone is interesting – making a reference to automobile safety – especially considering some recent discussion about the relationship of security to reliability and safety. I thought it might be fun to see how these seven dirty secrets apply (or not) to the control system world. So here goes…

1. Antivirus certifications are misleading
It used to be hard to even find antivirus software on control networks but I think we’re finally getting around that curve now. The important thing to remember here is that antivirus software is not going to stop most attacks but it can keep a lot of bad things from happening. Nobody wants some latent SQL Slammer to replicate from the corporate LAN into the control network via the DMZ, for example.

2. There is no perimeter
Corman’s point here was more about lost data via laptops, thumb drives, etc… I suppose you could say something about engineering laptops potentially going in and out of the SCADA network but I think the eroding perimeter of the control network surrounds two other bigger issues. The first is the geographical dispersion in most of these systems that creates physical security and general perimeter issues. The second is abuse of the DMZ concept. When used correctly, the DMZ is an important security feature used to prevent direct communication between untrusted networks. When misused or overused, however, it can be a gaping hole.

3. Risk analysis threatens vendors

Asset owners should continually assess risk to understand where their attention should be focused as well as be aware that there is no silver bullet for good security. Hopefully this will be enough to keep them from buying products that don’t make sense for their environment. Security vendors, on the other hand, must understand the goal and function of control system environments in general, and each customer specifically, to be able to offer them something of value.

4. There is more to risk than just weak software
Excellent point here. Poor coding practices are a problem in this space, but only a part of it. The bigger problem is an “open by default” mentality that leads to bad configuration practices.

5. Compliance threatens security
There are some who feel that NERC CIP and other compliance efforts actually do more harm than good. My personal experience, however, does not corroborate this. Does compliance fix everything? No. Does it bring some attention and funding where it is needed? I believe it can.

6. Vendor blind spots allowed the Storm worm outbreak to happen
To me, this is just an extension of dirty secret number one. The social engineering aspect is certainly a valid concern. The benefit of other security technologies mentioned, particularly anomaly detection, is something that has some potential in control networks.

7. Security has grown well past do-it-yourself
The Network World article quotes Corman and says this:

Security vendors try to convince businesses that security is so complex that they cannot possibly do it alone, Corman says. But the security needs of businesses are so individual that merely choosing a product is not enough. “It’s not enough to have the right tool. It needs to be installed and configured properly for the environment,” he says…

This may apply as much to the IT-Operations relationship as it does to Vendor-Customer. In some organizations, IT is the pushing for better security, dragging the operations and control systems personnel with them. In others, it is quite the opposite. In either case, Corman offers some pertinent advice.

I’m always interested to see what can be extended and applied to our community. While I don’t agree with all of Corman’s dirty secrets, he does offer some interesting points that, if nothing else, provide good food for thought.