An IM discussion with Jason Holcomb in regards to his recent post set my mind in motion.
English philosopher/logician William Ockham postulated in the 14th century(quoting Wikipedia) “When multiple competing hypotheses are equal in other respects, the principle recommends selecting the hypothesis that introduces the fewest assumptions and postulates the fewest entities.” Derivatives of this thought include; “Entities must not be multiplied beyond necessity” which has particular relevance when applied to the field of Control System Security.
As security was not an inherent guiding design principle of the majority of existing control systems, security has become a “bolt on something to fix it” issue. Meaning we have attached a number of secondary devices and measures in order to provide security to a system that is being used in a environment for which it wasn’t designed (attached in some way to an outside network), eg to provide security of the process while providing process control and data quantification to external gathering points.
The current “bolt on a fix” approach has the benefit of raising the bar of attack sophistication, but at the same time grows the task of security management. The necessities of hardware management, patch management, router, switch and firewall management, and communication path management all combine to create a daunting task for system administrators.
The simple answer to Jason’s proposition is no. Each component attached to the system increases complexity and adds an element of security risk that aggregates for each device attached. Subsequently, each individual item in the process statistically introduces a degree of uncertainty, complexity and multiplies potential chaos, possibly providing a potential attack vector. Each device could potentially be the chink in the armor that allows for exploitation.
Ockham’s Razor states that the simplest (most elegant) solution is most likely the best solution to the problem. Applying this logic to control systems in it purest form means the removal of any system, program, device, communication path or element that is not absolutely essential to the completion of the core task of the process.
Translation, remove all unnecessary programs; browsers, e-mail clients, games, applications form the systems attached to the process. Remove any system (pc, terminal, device of any sort) from the network that is not essential to the process. And lastly, simplify and remove the external connectivity of the system. In an ideal world there would be no external connections into the control system, be it dial-in, wireless, ethernet etc. , but since we operate in less than ideal circumstances minimize the connectivity to the absolutely essential.
This principle (the application of the razor) is demonstrated at times in the control system community. GE Fanuc Cimplicity recently converted (in v8) to Windows authentication instead of a secondary home grown solution. Secure DNP3 is starting to penetrate the market. And I can in no way overstate the value of having a well qualified team (such as ours) come and evaluate a control system against the precepts of Ockham’s Razor.