That was the question Ralph Langner asked in a comment on a Friday News and Notes item, and then he and Michael Toecker had an interesting back and forth. Here is my two part answer.

1. Because when you have an IP network, a small segmented island can intentionally or mistakenly get routed almost anywhere. And we have many examples where control system field devices and instruments IP stacks have not been robust when unexpected data has hit them, let alone an attack. And some of these systems have shared resources so when the IP stack has a problem the whole device is unavailable.

A simple example is the story two years ago where the Boeing 787 passenger wireless Internet access was connected to the control, navigation and communication system. A legitimate need for the ground control to be connected via an IP link to the plane control systems is a potential attack or bad data vector because that network is definitely not an island.

2. The second answer, and I like this better, is it depends on the threat model. What is the threat model for these IP systems and the network? We should be designing administrative and technical security controls to deal with threats. And threats can be more than directed attacks. We should not be trying to meet the mythical “best practice”, but we should be addressing what was identified and agreed to in a threat model.

One of my favorite parts of this year’s S4 was Shailendra Fuloria’s example of the HomePlug threat model allowing a one time cleartext transmission of a crypto key in a Simply Connect mode. This is a serious violation of security guidance, but the HomePlug team determined that the threat of an adversary sitting outside a home or business and waiting to capture the key the first time the device was activated was not a credible threat that needed to be addressed.

One final thought, if there is a feeling that aircraft are not “Industrial” then that reinforces my long held skepticism of the term ICS – Industrial Control System. I do thing we should be bothering with the security of transportation systems and building automation systems and other systems . . . to the degree it is required based on the threat model.