Secure By Design

Happy New Year to all loyal readers. We hope you had a chance to rest up and enjoy time with friends and family over the holidays.

My resolution for 2013 is simple: By the end of the year there will be a consensus that insecure by design PLCs and other field devices need to be replaced or upgraded in the next 1 to 3 years.

Here’s how we will measure success:

  • The US Government and at least two other governments will publicly state this as a policy position.
  • The majority of “ICS security gurus” will take this position.
  • PLC vendors representing 75% of the critical infrastructure market share will announce a new product with source and data authentication for sensitive functions and other basic security features.
  • 75% of ICS protocols used in the critical infrastructure will at least begin an effort to integrate authentication into the protocol.
  • At least two major industry groups will take a public position that source and data authentication should be deployed for sensitive functions as a fundamental or basic security practice.

This is not a passive prediction that this will happen. This is what the majority of my pro bono time will be focused on this year, and I’d welcome all support to make this resolution come true.

On a related now – the theme of the S4x13 conference is NOW! The attendees that will be at this event in two weeks easily have the capability of making this and other important changes happen.

Skeptics will say that change has not happened for over a decade now, and the mindset hasn’t changed at all. One could make a compelling, data point filled argument for that position. However, things never change until they do, and it often happens at a surprisingly fast rate after a long time of intransigence.

You will see a few other changes starting this year. First, we are launching the Japanese version of this site next Monday. Initially it will feature a weekly entry similar to an expanded Friday News & Notes on Mondays in Japanese, and we will see where it goes from there. Second, we will be looking to move our research into areas where it will be better supported. We already have a solution for SCADA IDS that will be announced soon, and we are working on something similar for Bandolier and the SCADA Honeynet.

It should be an interesting year, and we look forward to covering it. My goal is for 200 blog entries this year, and I’d really like at least a 1/3 of them to be success stories so send me some good news.

Image by tEdits