James Arlen, @myrcurial, posted a question on SCADASEC on the phrase “utilizing demonstrated engineering experience”. Here is the pull quote/question:
“If you are, say – a cookie manufacturer, and you have a cookie manufacturing line built and installed, you need to have engineering sign off on the whole thing for building code, health & safety, etc – right? And your control system is a mixture of super stupid embedded systems and an overall controller running on Windows. As an engineer, when you sign off on the cookie manufacturing line, are you signing/stamping a set of plans which you cannot possibly validate?”
Any engineers want to answer James’ question?
It ties in with one of my takeaways from Ralph Langner’s excellent book, Robust Control System Networks. Engineers are accepting a level of uncertainty and fragility in the cyber component of their systems that would be unacceptable engineering and maybe even professional malpractice. Two simple and frequent examples:
- Not Even A Basic Network Diagram – would a substation, pumping plant or any major part of a plant be build and deployed without drawings?
- Uncertain Communication Flows – the analogue to this would be not having any idea how your systems are wired together. Not only do many owner/operators not know this information, but often the vendor engineering teams don’t know the communication flow. They say it works one way and then network capture shows something different.
We have effectively integrated this engineering analogy into our discussions with the operations team. They get it and often get a bit embarrassed. While I wouldn’t recommend shame as a regular technique, if you can appeal to their engineering professionalism progress may be more likely than the regular security guy approach.