Last night Dave Kuipers, a long-time member of the ICS cybersecurity team at Idaho National Labs, posted a comment to my blog post about the recent update of the ICS-CERT defense in depth paper. His lengthy comment provides some additional background information about how the team at INL considered the use of safety systems and operator response as part of the ICS defense in depth strategy. His comment is thoughtful and well worth reading.
I am a little concerned with the comment about ‘throwing out the baby with the bathwater’ that was included in his response because it would seem to indicate that the points that I was trying to make in my post may have been misunderstood. And I need to address my side of that communication problem.
First, I obviously did not make clear enough that I was not disparaging the technical aspects of the lengthy and well thought out paper. Defense in depth is the only way that an organization can have any hope of defending any sort of computer based system, particularly industrial control systems. I did not address the technical merits of the paper in my blog post because I do not have the technical background to do more than address the highlights. Those technical merits should be addressed by control system security experts.
My post addressed what thought was an insufficient level of attention to another area of the defense of system that uses the control system, safety systems and operator response. To be fair, this is not actually a cybersecurity defense, it is more appropriately a defense of the higher level system of which the ICS is an important component. As such, in hind sight, Dave’s comments are really appropriate.
In the ICS security community there is a great deal of deserved attention paid to the security aspects of the control system components. This is very important and certainly worthwhile. This technical focus, however, leads to a very distressing picture of the security of the businesses that rely on the use of industrial control systems. The history of poor security design and integration of control systems has left us with a legacy of systems that have porous security at best leaving industry with little hope of security for their systems in the foreseeable future.
People need to remember, however, and I would like to see ICS-CERT be more active in spreading this word, that industrial control systems do not operate in a vacuum. While connecting ICS to business systems have made the control systems arguably more vulnerable, other business processes help mitigate some of those vulnerabilities. If the control system security committee feels free to bemoan the decreased security that accompanies business system linkage, they also need to acknowledge and work with the business processes that help protect against the worst consequences of cyber insecurity. Safety systems and operator training are two of those processes that deserve mention, consideration and integration into control system security planning. This would add yet another dimension to defense in depth.