If this is too depressing, wait for Monday’s article 15 Reasons to be Optimistic about ICS Security in 2015.
- Almost all ICS protocols are still insecure by design with no end in sight. Access to ICS = Compromise.
- Most potentially influential organization, US Department of Homeland Security (DHS), still will not say critical infrastructure ICS need to be upgraded or replaced. Playing small ball with little or no impact.
- No legitimate or reasonably honest and objective Automation Press to reach engineers and technicians.
- ISASecure stamp is still being put on insecure by design PLC’s and other embedded devices.
- Influential ARC Advisory Group saying 20-something controlling the plant from his basement is inevitable and focus on securing it.
- SCADA Apologists still dominate the ICS security thought leader / guru / industry and government expert positions.
- Admiral Rogers NSA/US Cyber Command testifies that our lack of defense is why we need to have a strong offense in ICS security.
- Malware targeting ICS applications and protocols.
- ICS vendors seeing no negative financial impact to vulns/insecure by design product offerings. They are fearlessly saying our product offers no security.
- The Internet of Things is confusing ICS security efforts.
- “Nothing will change until something really bad happens” mantra.
- Even when an ICS vendor has well documented security controls, the ICS vendor or integrator more often than not installs the ICS in most insecure/easiest to install configuration.
- CSET.
- Continued fascination and focus on vulnerabilities that matter little to critical infrastructure ICS risk.
- Widespread misuse of defense-in-depth principle, just put up more security perimeters, as the solution for ICS security issues.
Holistic.
Image by cal 00-0