I had finished my presentation on a wide variety of topics Big Data / Cloud Computing / Internet of Things / ICS remote access, and the Q&A had started. After stressing in the presentation that ICS data can be shared anywhere without jeopardizing the integrity and availability of the ICS, but non-emergency remote access to critical infrastructure ICS must not be allowed, I got the question that illustrates the challenge in making progress in ICS security.
Paraphrasing the question … “What you recommend is impossible, especially for the next generation of workers that expect to be able to make changes to the plant from their basement on their iPhone. Given that prohibiting remote access is impossible, what is your recommendation to secure it?”
IT’S A TRAP!!! and one that I refuse to play along with. The depressing thing was looking out at the audience I could tell that a large portion, a majority?, agreed with the questioner. An audience of vendors, asset owners, consultants, government officials et al that are looked at to define ICS security thought that it is inevitable and acceptable that critical infrastructure will be controlled from phones, tablets and laptops anywhere, anytime as a regular occurrence.
This is one of the reasons I have significantly reduced the number of ICS security events I attend and speak at. If the ICS security community was going to force change and solve this problem it would have happened by now. Change is going to come from outside the ICS security community or not occur until a very sad and tragic event or two happen. And this is not something I’m willing to wait for.
There were a number of supportive attendees who came up after the presentation. And please don’t misunderstand, I welcome disagreement on a presentation or solution (see Darren Highfill’s S4x14 Unsolicited Response), but not surrender. It is also important to note that there are a number of critical infrastructure asset owners that are doing, and are committed to continuing, what the questioner said was impossible.
This is one of many areas that the US Government and DHS could take leadership if they choose to. The DHS response to the insecure by design problem was not to focus on this as an issue that must be fixed. Instead DHS took the position that insecure by design would not be considered a vulnerability worthy of an ICS alert or advisory. It would have been surprising, but refreshing, to have someone from DHS push back hard on the inevitability of anytime/anywhere critical infrastructure remote control comment and say this should not be an option in critical infrastructure.
Attendees and others interested can see my Prezi online at this link. Admittedly, the picture based Prezi is a bit harder to understand unless you were there or the entire script is included.
Given this was a DHS event, I thought it only appropriate to focus on ICS that monitor and control the critical infrastructure. So after quickly dismissing the Internet of Things, with an interesting WEIS statistic, the bulk of the presentation used the GE On Site Monitoring / Atlanta Data Highway as an example.
Monitoring 1800 power generation systems in 60 countries is a great example of the promise and benefits of Big Data / Cloud Computing. It also is a big, fat, high value target. Does this mean that critical infrastructure ICS should avoid these types of services? Absolutely not. Just push the data to them so the integrity and availability of the ICS is not at risk.
Does Software as a Service (SaaS), e.g. an HMI in the cloud, have a place in ICS? While SaaS has no place in a critical infrastructure ICS, you can make an argument that an HMI in the cloud might be lower risk for a small municipal water utility than a completed neglected ICS with a weak security perimeter.
Tomorrow I’ll write about the rest of the ICSJWG event.