Bryan Owen in his OnRamp ICS Cloud Services module described open and closed loop cloud services. Securing open loop cloud services is simple because communications can be limited to pushing ICS data to the cloud. Closed loop cloud services can involve the external systems, often run by a third party, sending control or configuration commands to the ICS.
In an earlier article, I noted the need to limit by command, range and address what is allowed from the cloud to the ICS. An asset owner might buy a service that allows a third party to slightly alter a small set of parameters for boiler efficiency, but shouldn’t unnecessarily rely solely on the third party’s good intentions to restrict itself to those functions.
One of the promising features about edge devices and related services is a third party can be responsible for the cyber maintenance of the edge devices, including applying security patches. The problem is this ability to apply security patches and configure the edge device would also allow the third party, or someone who had compromised the third party, to alter the ICS deep packet inspection ruleset and other security features.
The easy answer to this problem is the asset owner would perform cyber maintenance on the edge devices. This, however, is the opposite direction many asset owners are heading. They are looking to outsource these tasks rather than accumulate additional cyber maintenance tasks so they can focus on their core business.
A third party not involved in the ICS cloud services could be responsible for the cyber maintenance, but now we have doubled the number of entities with access to the edge devices. It could be considered dual control, but not really because the entity responsible for cyber maintenance could compromise the edge device without the ICS cloud service company.
This is rarely an issue today because most of these third party closed loop ICS services are only restricted by the third party’s promises and a VPN, strong authentication, background checks, … that protect the asset owner from everyone but the third party’s systems. In this case there is very small additional risk in allowing the third party to manage the edge device. Hopefully asset owners will realize the risk of this and push back against the “give us a secure pipe into your ICS” approach. Once we get to this enhanced security, the question of who will manage this enhanced security will need to be answered.