How Much to Budget?
Many are flummoxed when working on budgets such as ICS Security. Security contains many aspects that are actually routine activities that we should be doing anyway, that actually do have an ROI. If a few minor improvements are made, it can be integrated in to security.
For example, go to most distribution systems or plants, and make a request of the superintendent or manager:
“Please tell me what assets you have in the OT networks and where they are.”
In the majority of cases you’ll see those people look at the ceiling and start counting on their fingers. In a few cases, you’ll see them dig out some spreadsheets or Visio diagrams and start counting. However, in only a very few cases are you likely to see them walk over to a console, look up a number and give you a live view of what is there, what should be there and what has just been discovered.
Those in charge of asset management or corporate fiance are probably not too happy about this sort of behavior. The problem is that control systems are often delivered as part of a larger project. There is no requirement to enumerate exactly what is in the control system, particularly when it is maintained by others.
If the ICS network topology and assets are not documented, setting themselves up for an even worse day when trouble finds them. It would be like having a PLC without any I/O documentation, or a computer without any backups. Those who fail to plan for this sort of event can expect a double-dose of disaster when something breaks, never mind hacking.
Nevertheless, this isn’t security. I call it inventory control. If you don’t know what you have, how can you manage it effectively?
Network Traffic Monitoring
Do you know what the traffic level and latency of your network is? If you don’t, can you be certain that you won’t have PLC I/O scan overruns? Can you know for a fact that your SCADA system will be able to scan everything it should in four seconds (the NERC standard)?
Knowing these things is important for maintaining performance. If you know these things, then installing firewalls and configuring switch monitors becomes a very straightforward exercise. If you don’t know these things, then you’re going to have to figure them out somehow before you can improve the security.
How about that HMI? How was that operating system configured? What operating system and application software versions are on it? What patches have been applied? What versions of firmware are on those PLCs in the field? How about those instruments?
Again, this isn’t exactly about security. Keeping track of patch levels is also important for maintaining interoperability, stability, and also improving the resiliency and longevity of the control system.
Tracking network media performance and connections could be viewed as security. But it could just as easily be a self diagnostic tool. Does anyone think that fiber-optic cables “just work?” Properly installed and tested, they will give good performance for quite a few years. But they do eventually get brittle. They do eventually start pistoning in and out of the connectors. They will eventually fail. Wouldn’t it be nice to have some early warning before that happens?
So is that security, or built in diagnostics?
Testing for Stability
Fuzz testing is often considered a security issue. But it can also be a safety issue. You want that safety system to work reliably, don’t you? Shouldn’t you test it under extreme conditions to ensure it will work exactly as expected even during very adverse conditions?
As you can see, many of the things that security are really about performance monitoring and inventory. There aren’t many things that are strictly purchased for no other possible application besides security. Security by itself is not easy to justify because it is difficult to document an attack that didn’t happen. However, you CAN document various other aspects of security (inventory, reliability assurance, diagnostics, etc.) and show an ROI on those aspects.
Security of control systems is mostly something people should be doing in the course of their normal work. And this is as it should be. Like Safety, Security is mostly a part of culture, not an appliance one purchases and forgets about.