There have been many events and data points that show even people knowledgeable in ICS and security are having difficulty communicating together because we have different views and experiences on what an ICS is. The latest example is Kaspersky’s Threat Landscape for Industrial Automation Systems H1 2018 report. The report stated that “42% of all machines had regular or full-time internet connections”, and base on the other statistics a large percentage of that 42% were sending and receiving email. In case you think Kaspersky isn’t looking at ICS, they characterized the 320 computers in the survey as SCADA servers, historians, OPC gateways, engineering workstations (EWS) and operator stations/HMI.
My initial reaction was, that’s crazy. We see almost no direct Internet access from ICS computers and certainly these computers are not receiving email. Even taking into account our clients are obviously security conscious, since they are hiring an expensive consultant to help them, those numbers were ludicrous. On second thought, the computers that Kaspersky was monitoring likely were under the broad ICS definition. They were likely building automation systems, that are often on the corporate network, and low value ICS1. Whereas I typically work with ICS that run power plants, pipelines, large manufacturing plants, large water systems, etc.
This demonstrates the challenge we have in communicating effectively about ICS when we use these broad terms without some sort of taxonomy. There are even more important areas where this large ICS category inhibits effective communication and action including appropriate architecture, security controls, regulation, and risk. And the confusion is getting worse.
DHS has decided that medical devices, including those implanted in humans, are ICS. It’s going to be very difficult to proceed with solutions that encompass both a implanted medical device and a turbine DCS and safety system, except in the broadest, and not particularly helpful way.
I’ve had an ongoing disagreement with ARC on their term Industrial Internet of Things (IIoT). At first I thought they coined this to cover IoT devices and systems that connect with what was traditionally called ICS. No. IIoT, in their definition, includes everything that existed in the ICS world plus everything new in the IoT world that is industrial-related. Unlike the term Cyber Hygiene that we need to kill before it takes root, ICS and IIoT are likely here to stay and are as good as any to describe a broad category similar to the term Enterprise. They are not sufficient or helpful for productive discussions.
The answer: a taxonomy of ICS/IIoT is needed.
The taxonomy doesn’t need to be perfect or overly detailed; it’s purpose is to assist in effective communication. Here are some possible categories:
- Value – what would be the consequence if integrity or availability of the ICS/IIoT is compromised?
- Architecture – classic Purdue model, IoT, classic + cloud, ???2
- Maturity of ICSsec program – huge difference in what should be done based on maturity. This is one of the biggest issues today with asset owners just starting their ICSsec efforts spending time and money on actions with minimal risk reduction.
- Sector / System Type – This is the most obvious category. There are some sectors and systems that are homogenous while others, such as the chemical manufacturing, that have significant variance between small and large manufacturers. My thought is you could have three to five numbered sectors, and then place industries in one of those as appropriate. We could then discuss, for example, Sector 2 systems should deploy these security controls or have these threats.
- Your category here … this is far from a complete list of possibilities.
The bundling of more and more sectors and systems into ICS/IIoT term is helpful only in that it is increasing awareness and hopefully corresponding action. It is leading to unhelpful and confusing discussions even amongst those active in ICS. Executives and those peripherally involved in ICS will almost certainly be misled by “ICS” information that is unrelated to their ICS. We need an ICS/IIoT taxonomy.
1 If Kaspersky found high value ICS directly connected to the Internet and receiving email one hopes they worked with the asset owner to immediately correct this.
2 It seems everything ties back to S4x19. We have a session with Brad Hegrat, Joel Langill and myself on whether the Purdue Model Is Dead? What Comes Next?