In 2008 I had three US electric utility clients who were making impressive progress in securing their ICS used in generation and transmission. They had implemented the basic security controls and were pushing with questions like “what should we do next year to be more secure?” An efficient risk reduction approach had resulted in significant year over year improvements in security, and corresponding ICS related risk reduction, without large expenditures.
And then NERC CIP moved from a guideline document to a mandatory standard and stopped almost all progress. All the clients’ ICS security resources were allocated to NERC CIP compliance.
To be fair, the majority of the electric sector was doing little or nothing in terms of ICS security. And it took a few years of CIP until they were forced to do something substantial. NERC CIP definitely raised the floor. It was incredibly documentation heavy and inefficient, but it raised the floor. The problem is it actually retarded progress in the security conscious utilities. They took a step backwards.
The increased awareness and attention that the Oldsmar and Colonial Pipeline incidents, as well as Solarwinds, will likely result in more government requests for actions and information. Some of these will be in the form of regulations with potential fines like NERC CIP. Last week’s DHS missive for pipeline operators was the first small step. Expect more.
After the NERC CIP experience an important question with no easy answer is “what ICS cyber security regulations would be effective?” If you made me king of the world I would come up with something to try, but I have not heard or personally come up with a high confidence regulation approach or answer.
Regardless of what the .gov requests and regulation bring, we cannot let this take all of the oxygen in OT and ICS security. Like NERC CIP, it will be the floor, not the future. It’s remedial action that likely will be highly inefficient.
This is not 2008. The world is not going to wait while the part of the ICS community that’s been napping catches up on Security 101 controls and practices, as well as trying to retrofit security on existing insecure by design systems. IIoT, cloud services, digitization, machine learning and other technologies (buzzwords) offer so much financial and other benefits to asset owners.
This is actually a great opportunity to advance rather than step back. It’s not the time to fall back in love with the airgap. In some cases it may make more sense to abandon old technologies and approaches rather than try a SCADASEC 101 retrofit to an old product and resistant community. As an example, I harp often on Insecure By Design in level 1 (PLC’s, controllers, etc.). Adding authentication, signed firmware, roles, security logging, etc. to the traditional level 1 device may a slog not worth taking. Maybe we leapfrog this with the Level 1 equivalent of an edge device with containers that can be quickly deployed and replaced.
We will not stop the remedial requirements coming from governments and industry organizations. It’s the bill that is due from the last 15 years of relative inattention to OT cyber risk. We just can’t let the remedial requirements dominate the thoughts and actions of the leaders and early adopters in the community.
I don’t have all the answers, and undoubtably many of the answers I do have are wrong. This is why we need opportunities for the top talent and forward looking thinkers to share ideas in an environment like S4. Ideas that seem crazy. Ideas that conflict with each other. Ideas that can be added to and tested.
The short video below explains what S4 is, what we are looking for and how to increase your chances of getting on the S4 Main Stage or Stage 2: Technical Deep Dives next January. The simplest way to think about it is the S4 Mission is to help Create The Future and the S4x22 theme is No Limits.
I look forward to seeing what you have and finally getting back to the in person S4 experience next January. The Call For Presentations is open through Aug 15th, but early submission improves your chances of getting on stage.
Subscribe to my ICS Security: Friday News & Notes.