Authentication

SCADA and DCS foster an engineer hero culture.

The plant, pipeline or process is not operating properly. The one or two individuals, almost always guys who have 15+ years experience in the plant, are able to troubleshoot the problem, make a change on the fly, and get everything working right. It’s often one guy, who is called all the time to save the day no matter where he is. One client had the luxury of having three who they actually called “the wizards”.

This sounds like a good thing and a necessity operating this way, but it’s a crutch that cannot be afforded.

Consider the Worth Reading article from Sustainable Plant, “Why Safe Plants Won’t Rely on Workarounds“. It gives the Apollo 13 oxygen cannister example that could have ended tragically, and discusses the dangers of a culture that rewards and promotes work arounds.

Transitioning to security, the common argument against any security controls is that nothing can stand in the way of a change that must be made in an instant. That requiring authentication of the source and input could result in disaster if it failed. That when things may be going wrong, any improvised solution must be allowed no matter what.

There are many problems with this approach. The biggest security problem is that allowing anything without basic security controls provides the same capability for an attacker to make a change as one of your wizards. That you can never trust the input to your process or the integrity of the process because it could have been changed by anyone with logical access at any time. This lack of trust is not just during the emergencies, but all of the time including the tedious day to day normal operations.

This does not even address the engineering concerns of making ill considered, undocumented, untested changes on the fly. Or not documenting these or expiring these changes.

The hero culture is a big part of the SCADA and DCS world. Admittedly it will take a culture shift to requires some basic assurance on these actions, but without this you will never be able to trust the integrity of your process in the post-Stuxnet world.

Image by hanna b