No Insecure By Design ICS Should Be Pre-Qualified

On May 1st President Trump issued an Executive Order On Securing the United States Bulk-Power System. This Executive Order could create a list of pre-qualified ICS equipment and vendors, as noted in the excerpt below:

The Secretary … may establish and publish criteria for recognizing particular equipment and particular vendors in the bulk-power system electric equipment market as pre-qualified for future transactions; and may apply these criteria to establish and publish a list of pre-qualified equipment and vendors.

The purpose of the Executive Order is clearly to prevent equipment from ‘foreign adversaries’ from being used in the US bulk electric system. I’m suggesting that this EO also be used to create a criteria to finally address the ‘Insecure By Design’ ICS problem, at least in the bulk electric system.

Definition: Insecure By Design – The capabilities an adversary would want to affect the integrity and availability of the ICS and process, in a manner of the adversary’s choosing, are available as documented features and functions.

Insecure by design is much more, and much worse, than a lack of secure by design. Today, decades after the importance of securing the bulk electric system has been widely acknowledged, most of the ICS in the bulk electric system are insecure by design. This includes the systems in the large power plants, the EMS, the transmission SCADA and the substations. There are exceptions, and these should be heralded … perhaps in a pre-qualified list.

As the headline indicates, there is little benefit in closing the back doors that ‘foreign adversaries’ may insert if the pre-qualified US and friendly foreign systems are insecure by design – if they have the front door open.

So there is an opportunity in this Executive Order. The Secretary of Energy is authorized to create ‘a criteria’ for equipment to be pre-qualified. Even a very basic four point criteria to address insecure by design would be a big step forward, such as:

  • signed firmware with secure boot
  • encrypted and authenticated management protocols
  • authenticated ICS protocols for control and monitoring
  • eliminate all hard coded vendor backdoors (or special access features, ht: Ali Abbasi)

Those new to ICS may be shocked that only a small percentage of the systems available worldwide for purchase could meet these four criteria. The US Government simply putting out criteria would raise the flag on this situation and provide an opportunity for them to tell vendors and asset owners it is time to get past Insecure By Design.

Then we can start having a reasonable discussion on getting to secure by design.