ICS Security - An Alternative Perspective
31 January 2015





Based on the lessons learnt in cyber security the tech industry would turn back time do things differently if it could. Everything from protocol design, OS design, network design and the technologies enterprises have adopted might be done differently based on what we now know. Unfortunately we cannot go back in time in a literal sense but when we consider ICS/SCADA security we may very well have an opportunity to go back in time in a virtual sense. This is because there is still time to apply security lessons learnt in the enterprise space to the industrial control space. This is possible because the technology and services adopted within the industrial sector are some way behind that of enterprise business systems. The hunger to adopt emerging technologies to gain the competitive advantage, be first to market or drive down costs within the enterprise space has historically lead business leaders to make business decisions with little consideration to security. Fortunately within the ICS space sound engineering practice has so far prevailed. As such the rapid adoption of new and immature networked devices and services has been abated to a certain extent. The slow rate of technology changes across the industrial space is not without its problems but it may well provide the opportunity to make the right decisions moving forward.

The industrial sector has resisted many of the trends within enterprise IT partly because ICS has essentially remained an engineering discipline. A strict approach to design and change has been conducted by engineers based on safe and sound engineering practice and processes. Also, the development of products targeted at industrial control has largely been limited to specialist and established vendors. Development of products for the industrial space has historically been beyond the reach of young business start ups but that is about to change.

Over recent years there has been a shift in the way hardware products have been developed. Embedded product and component manufacturers have recognised that if they want to maximise the appeal and use of their products or components then they need to facilitate a low cost entry point to produce products built using those components. By doing this the potential OEM customer base increases massively. This model has been demonstrated to successful effect by Google in the software space. Google provided development tools for their Android operating system free and produced quality documentation to allow anyone, from bedroom programmer to large corporations, to use and develop products and services built on Google technology. This growth model is now being applied by component vendors. Large investment or specialist skills are no longer required to enter the hardware development space today. At a high level the Beagle board and RaspberryPi have allowed a broad demographic to become familiar with hardware and experiment. Many will use these products as a stepping stone to lower level hardware development boards produced by component manufacturers such as Marvell, Amtel and many more.

Internet of Things (IoT) component vendors now want to establish an early foothold in the IoT space. IoT component vendors such as those mentioned are producing low cost IoT reference boards and free development tools in order to encourage use of their components. We should expect to see start-ups and individuals producing IoT devices to fill a niche in every aspect of domestic life. The development of these IoT devices may become as large and vibrant as the mobile App space is today.

The massive skill base that will emerge in the coming years in IoT hardware development will inevitably lead to the huge growth of similar Industrial Internet of Things (IIoT) devices. These devices may prove irresistible to the industrial sector from a business perspective. The engineering practice that has largely kept industrial plant safe today may well be overridden by business stakeholders in the near future.

An opportunity now exists for the business leaders within the industrial and utility sector resist the lure of IIoT devices and connected services that will soon be emerging in the ICS sector. It is inevitable that a wave of such technology will be pitched at business leaders within the industrial sector with the promise of huge cost savings or revenue generating potential. While some connectivity between ICS/SCADA and business systems may be required it must be remembered that the primary aspect of ICS and SCADA security is safety and that must not be compromised for perceived financial gain. If financial drivers prevail over safety then the industry will find itself with the impossible task of securing its ICS assets and critical processes. Any initial perceived financial gains will turn into long term and extremely costly problems with a high probability of human fatality.

We cannot reverse the position we have arrived at in the enterprise security space but we can effectively go back in time and apply the critical lessons learnt in enterprise security to ICS security. Many of the technology decisions made across enterprise that has made it so insecure have not yet been made in ICS. In many instances ICS systems may be old and running on unsupported hardware and software but that may well be the most fortuitous thing that has happened in the industry. If ICS/SCADA systems had kept pace with the promiscuous system connectivity observed within the enterprise business space then it may well be in a much worse place than many believe it is is now. Careful consideration should be given to any proposal to provide mobile or remote access to ICS or to connect ICS to business systems or business partners. The actual benefits may not be as appealing as they first appear when we consider the increasing cyber threat to ICS/SCADA systems. It will take strong business leadership to resist the temptation to follow their competitors and implement IIoT into their ICS systems or connect more business systems. At this point in time it would be wise to connect only what is essential to operate a safe ICS and SCADA system.

varlogsecurity blog
The place where I share my personal opinion and observations on the world of IT security.

© 2013

Modified heading photo. Original photo by Rick Audet. Creative Commons Attribution