There is a tactic in sales and marketed called ‘FUD’. Many of us are familiar with it, most of us have encountered it. It stands for “Fear, Uncertainty, and Doubt”, and the tactic involves influencing perceptions with overwhelming amounts of…. “Fear, Uncertainty, and Doubt”.
FUD is a constant issue in the ICS Security arena, for we deal with things that do more than go bump in the night, they can explode, spin themselves apart, electrify everything, and spread chemical nastiness into the air. So, are you suitably impressed now? Scared? Uncertain about your safety, and the safety of your family? Have an overriding need to call your representative, and vent that feeling? That’s FUD.
And like this recent article that quotes Joe Weiss and Walt Boyes. First, some respect: Joe bangs the drum harder and stronger than many in ICS, and his efforts in D.C. provide pressure for change. And Walt’s reputation precedes him as well, as a Fellow in ISA and former designer of industrial automation equipment. And it’s important to note that no article, no quote, can fully represent the totality of someone’s opinion. However, I’ve read enough from both of them over the years to know where they stand on IT and ICS.
But HONESTLY fellas .. Why all the FUD?
Yes, we need to be careful when we add security controls to industrial control systems, maybe not adding them at all if the age and capability of the system won’t support it. Yes, there are significant differences in how ICS works from the normal IT model, such as the need for reliable, on-time, and accurate data and control capability. And yes, well intentioned but ICS-inexperienced IT personnel have interrupted critical processes (of course, so have engineers, there is no monopoly on oops).
But, instead of following those statements up with tangible actions that IT and security vendors can take to become more aware and compete in this space, Joe and Walt criticize an entire establishment, basically because that establishment aren’t engineers, and don’t know how the plant operates. Fundamentally, not every ICS security project that employs IT personnel is doomed to failure, just as not every engineering effort is fated for success. What makes a project successful is the people, and how they work together toward a common goal, and all this division and suspicion just isn’t healthy. Good people build better tools, learn faster, and provide better risk reduction, regardless of where they are in the engineer/technician/professional hierarchy.
I understand where Joe and Walt are coming from, they don’t want unqualified individuals and companies working in the ICS space, and even talking (testifying?) about ICS related issues. They are concerned about unintended effects, especially effects that cause the exact problem the security is attempting to prevent and detect. But going about it in this way, spreading FUD around that is directed specifically at IT and Security companies may have an unintended effect itself: The truly competent hang back to ensure that they are competent, while the grossly incompetent blunder on into RFPs and site visits.
The fact is this: ICS owners hire those that put themselves forward for the work, not the ones that are hanging back. The space is getting a lot hotter, we need to get the best qualified at the front, and fast.
Readers, I’m here to tell you this: It’s ok if your role in a project is security, threats, and the tools used to mitigate against cyber intrusion, but not knowledge of the process. Security knowledge is necessary, it’s valuable, and it’s in short supply in the ICS community. But, know your limitations, and be open honest and transparent about those limitations, because you are not a process expert. There must be others at the table with the process knowledge, the operational knowledge to contribute. If those individuals aren’t there, I suggest you walk, because you are in a risky situation.
What is not ok is assuming you have that experience. What is not ok is doing work on ICS systems without proper guidance and discussion with those who do have a knowledge of the control system and the process. What is not ok is assuming the behavior of a control system based on an entirely different IT system. Ideally, the responsibility for ensuring that contractors are competent rests on the owner, but without standards of excellence in ICS and IT to measure individuals and corporations by, there is a lot of room for the incompetent to dodge.
In his blog post, Joe asks the question “What does it take for ICS cyber security to become mainstream..”?
My answer: We need security, management, and operations to sit down and discuss the real rewards and risks associated with putting security into ICS, and stop trying to scare each other off. This will not be a painless process, but with discussion and transparency we can make ICS security more mainstream, and develop practices to ensure reliability and availability of critical processes. Many of these practices exist, such as the NIST SP800-82 and ISA 99, but others will need to be found out the painful way, and communicated to industry. And, we need to stop the criticism, and make with the actions.
Or, we can continue to point and criticize and opine from the opposite sides of the table. Your choice.
title image by opensourceway