My most vivid early experience with ‘it won’t work in ICS’ was in 2006. We had received a DHS research contract to develop Snort intrusion detection signatures and preprocessors for ICS protocols (originally Modbus and DNP3). I was presenting the working solution at a Telvent (dominant pipeline SCADA vendor at that time) User Group meeting. The almost universal reaction was this could never be deployed on an ICS. But it was completely passive, put no traffic on the network. Still I was told it won’t work in ICS. Of course, it worked, and there are now numerous product offerings now monitoring ICS networks.
This is just one of a long list of ‘it won’t work in ICS’ including:
- Ethernet because it’s not deterministic (90’s)
- Windows computers (90’s with Wonderware being the big breakthrough)
- Anti-virus (which did fail on early installs. Not because it didn’t work, but because the computers it was installed on were ancient and underpowered.)
- Active Directory
- Application Whitelisting
- Auditing security settings of ICS applications and devices using legitimate request commands (first in our USG funded Bandolier files ~2008)
- Industrial Firewalls
This is only a partial list. Virtualization is one of the best examples from the last decade. ICS vendors went from ‘virtualization won’t work and you will violate your warranty if you do this’ to ‘we recommend virtualization’.
This issue ties into my article last week, Everyone Can Play In OT / ICS Security. These and many other improvements came from outside of Operations and were often fought by Operations until they became standard practice. This is not to degrade or devalue the importance of Operations and Engineering. ICS cyber risk management needs their primary contribution in reducing the consequence side of the risk equation and involvement in reducing the likelihood component.
What it does mean is we should take a step back and reconsider whenever we hear ‘it won’t work in ICS’. If it works elsewhere in T (Technology), there is a good chance it will work and become normal operations in OT. This is especially true of T that is used in mission critical systems that require extremely high availability (not desktop T). Perhaps there will be some adaptation of the T or approach, as is likely in DevOps or cloud services, and yet it will probably work in and come to OT / ICS.