While progress on adding basic security to PLC/RTU/Controllers, Level 1 of the Purdue Model, continues to be excruciatingly slow, there is much good news from vendors that make the applications that reside at Level 2.
Vendors offering HMI, Engineering Workstations, Historians, SCADA and DCS Servers and other Level 2 applications are adding security features to their software. Equally important is they are providing quality configuration and deployment advice to their customers in the form of white papers and videos. This is a growing trend for at least the past five years.
Check out Bryan Owen’s 2014 and 205 User Group presentations on securely deploying the OSIsoft PI Server. These are two of many videos and tools they provide to help customers secure their PI deployments.
OSIsoft is not alone. We work with numerous vendors who provide quality secure deployment advice for the architecture, OS hardening and ICS application security settings. We have also seen this type of great information at S4 OTDay and other vendor User Group events.
The ICS Community should recognize and appreciate the vendors that are stepping up to this challenge, but … the unfortunate reality is this quality guidance seems to be rarely followed and new system deployments are not following even the key items stressed in the vendor deployment guidance.
In some cases this is an integrator, consultant or customer that is installing the ICS incorrectly. This is bad enough, but the real shame is when the ICS vendor installs their own solution without following their own security advice.
Many times a year we have a disagreement with the ICS vendor’s deployment team on how their product should be installed, and we have to pull out the ICS vendor’s own documentation to show them they are installing it wrong. Even then more often than not they fight back and tell us why it is impossible to install the ICS the way their own product team recommends.
It’s not hard to understand why this happens. The team that works on design and implementation has a difficult job, and many of these team members have been installing systems for decades. They have a way to make a complex deployment work and are not looking to make their job harder. If they know how to install a legacy configuration, they will install a legacy configuration even on a completely new system.
The ICS vendors need to step up even more and push this secure deployment information and processes down to the deployment teams. I’ll fully admit this is a big task that is unlikely to be 100% in the near term, but we are not seeing installs following ICS vendor guidance even 25% of the time.
Asset owners purchasing new ICS are going to have to step up as well. They will need to get the ICS vendor secure deployment recommendations and add secure deployment requirements to the acceptance tests.
This can be done.