I’ve seen people in a project who have spared very little to defend the industrial control system. They mean well. But sadly, they’re overlooking the basic economics that drove Industrial Control Systems (ICS) in to being.
Engineers designed the first control systems so that the process could be managed more easily, with fewer staff, and with more consistency. However, many Operational Technology (OT) security solutions involve more people, more complexity, and less consistency when the security system gets in the way.
That’s not why we automated things in the first place. You’d think from the way that some OT Security people talk, that the automation system exists to support the OT networks, not the other way around.
When discussing a security system for OT, you should ask yourself the following question: Does this solution force the OT Security specialist in to the diagnostic effort? If so, congratulations, you have just doubled the number of people needed to dispatch on a problem. In the older systems, the supervisor sent a technician with a volt meter, a few spare parts, and some fuses in to the field. Now, we’re looking at that same technician, with more expensive spares, and a specialist to configure them.
Why is this an improvement? Where is the return on the investment? Are there better diagnostics that can get things back in service sooner? How much do these people cost per hour? They’re not cheap when you drag them out of bed at 2 AM, are they?
Let’s back up and look at the larger picture: Why is this happening? The Trust No-One Model, while it does work, is also a very expensive way to manage an OT infrastructure. Why did that happen?
- Multi-vendor systems with many zones and conduits for control.
- Lots of overbuilt industrial computing resources with many places where malware can be hidden.
- Desk jockeys slurping data from an industrial process, as if it exists only to provide them with another data lake to play in.
Please Ladies and Gentlemen, please just stop for a minute. Some managers are starting to notice these costs. More than a few are starting to look fondly at those old basic controls. Why? Because it may actually be more cost effective.
Hardwired controls may seem expensive, but compared to the costs of maintaining the AD, firewalls, IDS and IPS systems, patching, switches, routers, a SIEM, a Network Management System, Configuration Management, increased staffing, more complex emergency responses, and so forth –it’s starting to look awfully attractive.
Beware, if the price tag for security is too high, you’ll be out of a job. The manufacturing jobs and all the economic goodness that comes with it won’t happen. We need to find more reasonable solutions and better, inherently secure architectures that don’t involve bringing in high paid experts so that someone can replace a fuse.
(Update: minor edits and sentence restructuring)