My point — we, the SCADA Security community, need to put all our efforts and emphasis in the PLC, RTU, controller space on getting vendors to add basic security features to their models available for sale today. Beginning with authenticating the source and data sent and received from the PLC and continuing with other Security 101 features. We should not say or pretend that any other solution besides this is acceptable. Fix the problem! We have lived with this and PLC vendor inaction far too long, and it is pathetic that there is no serious secure PLC offering.
My main disagreement with Joel is not on the value of NAC. It would not be on the top of my list of new technical controls like white-listing / HIPS, but it is probably worth considering its value as a compensating control. I hope to have Joel on a podcast soon to talk about his advocacy of NAC as an important tool for ICS security.
The problem is we should not be providing any cover or any excuses for PLC/RTU/PAC/Controller vendors to further avoid designing security into their products. This has happened for years with the air gap fantasy and then the firewall “preventing access” to the PLC. PLC’s were not considered vulnerable even though they were vulnerable by design because the attacker shouldn’t be able to reach them. The last thing we need is another silver bullet technology that allows vendors to avoid fixing this gaping ICS security hole.
Let’s take it a step further. In two weeks Joel will be presenting on Stuxnet, other attack vectors and stopping them at the Siemens Automation Summit. Unless Siemens is prepared to announce a new line of PLC’s or major upgrade that will have the Security 101 features, this is a huge mistake. The only message that security professionals should have at that meeting is how wrong it is that the Siemens PLC’s are designed with little or no security; that Siemens response has been late and misleading marketing spin on Stuxnet and now the Beresford vulnerabilities; and that Siemens’ customers should revolt and apply all pressure possible to make the vendor truly address the problem. I make the same plea to John Cusimano of Exida and Eric Byres of Byres Security who will also be there presenting on ways to address Stuxnet and other ICS security issues. Remember this almost one year after Stuxnet and three years after a Siemens requested INL assessment pointed out many of these Vulnerable by Design problems. After all this time there should at least be a detailed announced plan to address it.
The last message that needs to be delivered at a Siemens User Group is that all will be ok because you can deploy NAC technology, set of IDS signatures, or Tofino field firewall and be secure. This is not to knock those or any other compensating controls. These are worthwhile presentations in other venues, but definitely not the message to deliver at any user group meeting where the vendor continues to ignore designing basic security features into even their flagship, new controller product lines.
I considered adding some analogies here where influential people knew there was a big problem and chose to stay silent or pretend like it would be ok if we just did these other things, but they all were loaded with sensitive issues that would cause the conversation would veer off topic. Joel, Eric and John are all smart guys that I would gladly work with on projects, hire or work for. I have in the past and would again. They have all been on the TMICSS podcast because they know their stuff. It is time for the leaders in this industry to stop being sensitive to offending large vendors, making excuses, offering alternatives and just come out and speak the truth.
We are not going to solve this problem quickly with the large deployed base of field devices out there. I’m sure that the compensating control suggestions in their presentations are helpful, but only after a lengthy and pointed discussion of the real problem of vulnerable by design PLC’s. It is definitely time to have a secure PLC that can be purchased and deployed so the problem doesn’t get bigger, and so the most critical ICS can decide when their risk management decides it is necessary to solve the problem.