Some of the post Stuxnet discussion, and even much before it, has the premise that we need to improve security so this type of attack can never be successful. That if we just all do the right things control systems will be impenetrable. When we see unpatched systems, hard coded passwords, cleartext authentication, unauthenticated firmware upload and other basic security problems, it is clear we have a lot of work in front of us as a control system security community. However, that does not mean that we should expect or even try for perfect security.

If as a community we have the expectation that we can stop all attacks, we will fail. There will always be new 0day vulnerabilities. There will always be human failures to follow policies, such as plugging in a USB stick. Defense in depth has a better chance of preventing an attack from succeeding, but some combination of failures will be possible and will happen from time to time. Furthermore, all the technical and administrative security controls have a cost and at some point the additional risk reduction is not worth the cost.

What we need to focus on is risk management. What are the biggest risks, and how to we reduce them down to a level of acceptable risk. This is not a radical idea in security, but we have missed it in control system security. There is an expectation of perfect security, like when a congresswoman insists on a yes or no answer to “Is the electric grid secure”? We will never be able to just answer Yes to that question no matter how much time and money is spent.

The response I hear is control systems are different. There can be severe damage to the economy or loss of life. Yes, this is true, but you can lose your life when you drive on the highway, or get on a plane, or eat shellfish. You take more risk when you leave the house, yet people do it every day. There is a cost / benefit analysis to these decisions, and there are security controls in place to reduce risk to a level where people chose to proceed.

There are also examples where cyber risk is not the highest risk for a system or asset. A physical attack or human asset attack is much easier and higher risk, and that is where the effort should be placed. There are some great examples in the NISTIR and other places, and I’ll expand on this more in future entries.