2014-2015

This is the companion article to our 15 Reasons to be Pessimistic about ICS Security in 2015 that we ran on Friday. On Wednesday I’ll lay out what to look forward to in 2015 based on these two contrasting articles.

Many of the items below come from experiences with clients, peers and ICS community friends. They are not as visible as most of the pessimistic items, but they are activities going on in real companies making real progress on these issues.

  1. Many large asset owners, those with 10, 50 or 100 ICS spread around the world, are deploying ICS security programs across all sites with required security controls and metrics that management is tracking.
  2. The mainstream press remains hot on ICS security stories.
  3. Multiple high quality ICS security training options are available.
  4. Application whitelisting deployed on ICS computers with and without vendor blessing.
  5. Some universities are now performing true ICS security research.
  6. More ICS vendors are implementing an effective security development lifecycle (SDL).
  7. The NIST Cybersecurity Framework is launching C-level discussions and programs.
  8. Governments around the world are now engaged in this problem. Varying approaches, different results.
  9. Peer pressure … multiple examples in 2014 where ICSsec projects were launched because competitor/peer was doing it.
  10. Virtualization is becoming a mainstream deployment option.
  11. Greater acceptance of the need for an inventory, data flow diagrams and other basic documentation.
  12. Leaders in wide variety of sectors beginning ICS security efforts. It’s not focused on electric, petrochem any more.
  13. Wait … we are still running Windows XP? Management awakening to state of cyber maintenance neglect and finding it unacceptable.
  14. Vendors are, admittedly still slowly, adding security posture acceptance tests to FAT and SAT.
  15. Large consulting practices, i.e. IBM, PWC, …, are creating ICS security teams.

What would you add to the list?

Image by PixelVikings