Bill Gross has an interesting comment on Jason’s regulation post. Here is the key excerpt:

To that end, you would see the virtual elimination of security flaws in systems if you target you regulation in a way that:

1) Makes vendors accountable for financial impacts that result from the failure of their systems.
2) Gives them financial incentives to allow them to finance the needed changes – tax deductible programs for training, test lab development, bugs-per-line of code reduction, etc.
3) Develops clear criteria that can be used to measure success.

Most of the standards, guidelines, and regulations have focused on asset owners, and maybe this was the right place to start. However, I agree that next year is the time we [asset owners, gov’t, consultants, and vendors] need to push vendors to step up in both their security development lifecycle, security features in product offerings, and security support for their customers.

Over the past three years I have had the following interesting experience a few times.

  • Digital Bond finds serious problem in vendor application, and by serious I mean something that affects all the components in the control system – – HMI, Historian, Control Server, Engineering Workstation, etc. What makes it interesting is the asset owner has some financial leverage on the vendor. The reasons for the leverage vary.
  • Asset owners discuss it with vendor. Vendor says they won’t fix the problem . . . unless the asset owner pays for it.
  • Asset owner decides not to use their leverage because “are afraid they will put the vendor out of business” or “the vendor will walk away from the project”.

What we are seeing is a serious and costly shift from a world where vendors spent little or know money integrating security into their development lifecycle or adding security features to their products. This is similar to Microsoft of old, but after the worms Microsoft found they needed to add security because of market demand and found they saved money by baking security into the process and product.

In my opinion, I don’t think we are anywhere close to vendors believing they will save money and increase sales through security. And the vendors are probably right from a dollars and cents viewpoint.

So since bailouts are all the rage now, maybe we need a control system security bailout for the vendors. This is said tongue in cheek, but would it be a terrible use of $ to pay critical infrastructure to get up the security curve if the market is not going to make it happen? Is this a shovel ready project for President Obama to consider?