It started innocently enough with a tweet from Joel Langill.

MS Warns of Permanent 0Day Exploits for WinXP huge impact to legacy #ICS – why you need more than patch mgmt

— SCADAhacker (@SCADAhacker) August 26, 2013

and my response:

RT @SCADAhacker: MS Warns of Permanent 0Day Exploits for WinXP – why you need more than patch mgmt < like a plan to run on supported sw

— digitalbond (@digitalbond) August 26, 2013

Followed by a minor twitter storm from the active ICSsec tweeps.

Microsoft will stop providing security patches for Windows XP in April 2014. Asset owners have had ample time, over 1000 days, to plan and upgrade to a supported operating system … or at least that’s my contention.

Joel provided a number or reasons (excuses?) why asset owners would not be able to upgrade. The reason I want to address is the case where the vendor does not offer the application on a supported OS.

@digitalbond … plus IP designed into existing #ICS cannot always be migrated. This is a “fact of the field” that you have to deal with.

— SCADAhacker (@SCADAhacker) August 26, 2013

Many asset owners cite the lack of vendor support as a reason for not implementing security controls.

  • The vendor only supports XP so we can’t upgrade to Windows 7.
  • The vendor says patching will invalidate our warranty so we can’t patch.
  • The vendor won’t support a secure protocol.
  • The vendor won’t fix known vulnerabilities.
  • The vendor says we can’t run anti-virus (rarely true anymore by a vendor but still heard from asset owners who are not running anti-virus).

So we can blame the lack of progress in ICS security on the vendor (the chicken). Not so fast…

For example, there are a growing number of vendors that certify and support Microsoft and third party patches, and a very small percentage of their customers apply the patches. Eric Byres tells a story and shares statistics on the frustrations in getting customers to apply a free patch on Tofino — only 30% even downloaded an important Tofino patch. And Tofino users by their purchase are demonstrably amongst the most security conscious.

All too often the vendors are a convenient excuse for asset owner inaction. Asset owners (the egg) look at cyber security as a lot of unnecessary work. After all, they have no evidence of the cyber attacks affecting the integrity or availability of their ICS. The majority of operations groups, even in the critical infrastructure, are not hounding their vendors for even basic cyber security. It is a happy world where vendor limitations are the reason they can’t have a secure system.

Sometimes it is an unholy alliance between the vendor and asset owner (the chicken omelette). We see this in the insecure by design PLC issue. The vendors claim that they are not getting customer demand to add secure protocols or other integrity and availability security controls to the PLC. They will gladly add this when the customer asks for it. This is a simple and compelling argument.

Asset owners’s role in the chicken omelette is more complex. First, many don’t believe the lack of security is an issue because their vendor tells them all is ok. The GE D20MX discussed last week is a great example. From the brochure, the D20MX “introduces a new and modern network security feature suite that enables effective compliance with NERC-CIP requirements”. GE is far from alone in this. The gap between the promoted security level and actual security level is huge. Sure there are some new security features and web server patches are being generated, but the application still has backdoors, insecure protocols and large numbers of latent vulns. Why would an asset owner feel he needs to ask for security when the vendor is telling him the solution he has and is buying is secure?

The more cynical message is neither the vendor nor asset owner want to deal with security so neither presses the issue. They both are happy to believe the marketing hype about “holistic security” and falsely applied defense-in-depth. Not having a secure option from the vendor makes security impossible. Not having customer demand prevents the development of needed features. If a security incident or news brings the lack of security to the forefront, they can point fingers at each other until the pressure is eased.

So who is the salsa? SCADA Apologists are the salsa. Smart and respected people like Joel and organizations like ICS-CERT/INL/DHS are the salsa.  They say and write that it will be decades before critical infrastructure ICS will be secured. They say and write it is unreasonable to expect secure protocols, supported OS, applied security patches, and other basic security controls we expect in systems … And because they are smart and respected, they provide cover for the vendors and owner operators.

Why would an asset owner feel the need to secure their ICS when most respected organizations and individuals say it just isn’t possible or practical? Joel accused me of getting personal in the conversation by labeling him a SCADA Apologist. While it clearly isn’t a compliment, it is a recognition that he shapes thought in the ICS security space. This is why the SCADA Apologist are a huge part of preventing progress in ICS security. When Joel or Eric or DHS say that basic security controls are just not possible in many or most cases, and they won’t be for another 10 or more years, it provides the needed cover for asset owners and vendors to do nothing.