I’m putting together an intro for an ioActive webinar on CoDeSys with Reid, which will have some good technical information and discussion on the effectiveness of suggested compensating controls. And I’m trying to find some way to point out the complete failure of the ICS community to address the PLC insecure by design issue. Looking back at this blog I found the entry below from October 2003, nine years ago and the first month of the blog.
Yes, nine years ago there were basic demonstrations going around showing the lack of authentication and other basic security controls in PLCs, RTUs and other controllers. Think about how many systems have been unnecessarily been deployed with these same security flaws in those nine years.
Two other interesting items from this ancient post. First, you see the line about compensating controls at the end of the post. We have never been and are not anti-compensating controls, but this is not a solution. It’s a risk reduction stop gap. Second, if memory serves me right the person doing the demonstration was Eric Byres, then with BCIT. Eric ironically recently wrote a blog “Address SCADA Security Vulnerabilities Now, Not Later” where he focused on compensating controls rather than demanding basic security. Perhaps if we all focus on and demand getting basic security in the PLCs now we won’t be facing this same problem in 2021.