To a lot of you, this is post isn’t going to tell you anything you don’t already know, but for others I think it needs to be said again. MAC and IP addresses are easily changeable and are useless for authentication.
Far too often when we’re on site we see security measures that rely heavily on them, and its something that we need to move away from in control systems. We need to decouple connectivity and authentication. This is bad enough on the control network itself, but often it goes past that point and extends out to the corporate network, allowing a handful for special ips to access the control systems, essentially rendering your firewall useless.
Of course we know a lot of devices on our networks don’t support this kind of authentication, and due to unavailability, along with time and resource constraints that just the way its going to be for the foreseeable future. And in those cases when you can’t do authentication, you have to depend on effective monitoring (access logs, network monitoring, our own quickdraw project, etc).
How do you know if you’re using real authentication? If its not using something you have, something you know, or something you and only you are, then its not real authentication and you’re setting yourself up for problems down the road. This is something that can and will cause a lot of problems down the road as more and more layers of assumed security/authentication are built on top of a faulty premise.