I was lamenting the state of the Industrial Control System Security recently with some friends. Things are very lopsided right now.
In the beginning days of ICS Security concerns, there were a few hackers who had no idea what they were getting in to and a few very scared engineers were uncertain about what these hackers were finding, but suspected it wasn’t good. Both sides knew the situation was getting more and more ugly, but weren’t sure what to do or how to do it.
Then the organizational experts showed up. They developed Risk Analysis philosophies that were not well grounded, but better than nothing. It was sort of like telling the early aviators to make checklists, but with only vague categories of was supposed to be on those checklists or how to train with them.
Then the network people got busy. They had a framework and by golly they could sell products to help. All they had to do was to block the evil traffic. But while they weren’t sure how, they knew that various things ought not to talk to other various things.
So firewalls were set up, ports were blocked, and generally they developed a first layer shell of defense. Clearly that defense wasn’t good enough. But they weren’t willing to get involved in ICS design or integration. They leaned on some of the companies and those companies turned around and developed products that would work with the products that many of the network oriented firms were selling.
Then the IT refugees showed up with their extensive monitoring infrastructure. They wanted to integrate everything in to a security monitoring system with tools such as a Security Event and Information Monitor system, Network Management Systems, and so on. These aren’t bad tools but they are still being adapted to control systems to keep them from raising too many false alarms.
And that’s pretty much where we are. Right now, if you mention ICS security you’ll get some IT refugee who believes it’s all in the network and they have the right products for you. I don’t mind these people, but we are falling way short of the goal.
We still have many people who are demonstrating all sorts of failings on ICS platforms. Even scarier, they’re getting familiar with the processes, so that they can attack them more effectively.
What about the operating systems, the application software, the coding practices, the embedded systems, and the process itself? Nothing has changed much.
There are a few people like Adam Crain who seek better languages to use for writing embedded applications. Let’s face facts: While C is popular, it is a minefield from not just a security perspective, but a stability perspective as well.
There are a few who advocate better PLC coding practices –and not just me either. Isiah Jones has been advocating this too. While there aren’t many of us, I have to believe he’s not the only one.
Going further, the operating systems we use are frankly a dumpster fire of bloated, over-wrought complexity built on still more bloated overwrought complexity. The original reason for using these bloated operating systems was that it would be compatible with office applications. But that’s not really an issue any more. We have file format standards. We have comparatively simple needs for networking. A stripped down operating system without all the silly network protocols, device drivers, and plug-and-play everything would be most welcome. But not many are talking about such things.
Yes, these things are work. And they’re not sexy. It’s hard to sell products that are actually less, not more. But that’s what security demands. Check-lists aren’t sexy products that one can sell, either. But if you want to fly an airplane safely, you have to use one.
Keep it Simple and Stupid.