Many of us in the Control System community feel pretty secure in the belief that our critical networks are not directly connected to the internet, and as such are insulated from attack. Apparently (and as oft has been stated) this is not sufficient protection, if the control systems communicates with a network that does have internet access. According to a recent article the Conficker virus was savvy enough to hop from one internet connected network segment into critical medical equipment on a non internet connected segment via an interconnect.
In Control Systems this would be comparable to the Control System and its various segments being connected to an internet connected corporate environment. In this type of common scenario, where proper protections are not in place a clever virus could possibly hop segments (as in the article) and a good attacker definitely could, leading to a compromised process.
Proper firewalling would reduce the risk of this type of cross infection but the ideal solution would be to limit the connectivity to an individual machine hanging on a DMZ attached to the firewall. The firewall should only permit that communication that is absolutely essential to operations form the Control System to the DMZ system, and from the DMZ system to the corporate environment. The first rule in the firewall should be “deny all” with only one or two exceptions for the necessary communications, usually a pathway for a historian slave.
By the proper application of security techniques the possibility of a viruses or attacker hopping segment can be greatly reduced, in turn mitigating risk. These techniques would limit the cross infection of systems as occurred to the critical medical devices as in the referred article.