After 6 years considering security for control systems I have came to the conclusion that there is very little security in control systems. Sure we can take measures to tighten up the security of the PCs and devices that compose the system, but given the number of simple exploits against the control system software, the ability to totally control the communication streams (Byres stated at ICSJWG in regards to modbus “if you can ping it, you can program it”), and the ability to directly impact the field devices through firmware pushes, what then does security for control systems imply?
Today, this implies perimeter security. Ensuring that the bad actors can/do not have access to the actual system, as once they do it is game over. So we apply layers of devices to provide defense in depth at the perimeter of the system, but often things are overlooked. I have seen too many “mostly good” deployments. Limited connectivity, good firewall rulesets, ACLs, IDSs, all in place and then everything thwarted by a direct connection for the corporate zone into the control system zone, and no one remembers just why it is there. Or a dual honed smart printer bridging the zones, poorly secured WiFi, or some other long forgotten item that circumvents perimeter security
As long as there is no confidentiality, integrity and authenticity (CIA) measures inherent in the control systems’ communications, as long as no passwords, clear text passwords, default passwords, and the same password for everyone are allowed and prevail, as long as field devices allow unauthenticated software pushes, well I can go on with a litany of defects. Needless to say as long as security is not a driving principal of the design of these systems they represent some very low hanging fruit and perimeter defense becomes paramount. With the 20-30 year lifecycle of these systems, even though many vendors are starting to address these problems, if a new system was purchased and deployed today, it would most likely be subject to my above gripe list for the next 25 years.
Projects like Bandolier and Portaledge help remediate the problem. Bandolier by creating less entry points into the system by tightening the security on individual systems. Portaledge by monitoring the systems for indications of attack. The Wurldtech software certification process is also a step in the right direction. These efforts help, but are not a panacea.
As long as security is not a driving design consideration tightening the perimeter is our best bet….. for everything but the insider threat. Is this ideal, or the best that we can hope for? Surely not.