Who is Responsible for ICS Security?

There is an interesting post over at ThreatPost.com that looks at how some industrial control system software vendors don’t seem to be taking ICS security seriously. This is really just part of the larger discussion that is taking place in the control system security community. I have been following the discussion through a number of security company blogs and the SCADASEC List. It’s been interesting seeing the chicken-or-egg discussion about who is responsible for the current sorry state of security of industrial control systems, the people who design the software systems or the people who buy the systems.

The Issues

The one side maintains that the vendors are the ones responsible for making the decisions that make these software systems inherently vulnerable to cyber attacks. The use of the Windows® operating system makes them vulnerable to a known host of attacks yet the design makes it difficult to implement the patches used to keep the security side of those programs up to date. To compound that problem there are obvious security holes in the control programs that were either overlooked or actively implemented with no thought to the security implications.

The advocates for the developers argue in turn that the users get what they pay for. The ever present push for lower priced systems requires that the vendors and their developers take the identified shortcuts. Even when security upgrades are offered, users are not interested in paying the added cost for those security add-ons.

To make matters worse, control systems are major capital purchases that companies expect to use for a long time. The cost of control systems is not just the money paid for the software and hardware, but must include the cost of integrating that software with the facility controllers and sensors. Making any changes to the software or hardware undoes much of that work, increasing upgrade costs and decreasing revenues while the facility is off-line getting everything working again.

Finally, until just recently, there really was no problem. No one was attacking control systems for a host of reasons. Control systems were isolated from outside access and they were too complicated and site-unique for it to be possible for outsiders to effectively attack them anyway. Besides what incentive was there for anyone to attack these systems anyway? Yes there have been isolated problems, but they have been insider attacks that security systems would not typically prevent anyway.

A Broader View

Actually, this is not a discussion that is unique to the control system community. Since 9/11 the issue of security in many industries has had the same back-and-forth finger-pointing exercise. Private industry has had a problem getting their hands around the problems of preventing terrorist attacks on their facilities. Since there has been no actual attack on an industrial facility, or even a serious plot against one, in this country companies are having a hard time justifying the kinds of expenditures that are necessary for preventing serious attacks on their facilities.

The Stuxnet discussion has not changed that perception. Most commentators have been expressing their awe at the amount of time, expertise and money that must have gone into the development and deployment of Stuxnet. The comments that it must have been a nation-state attack on a politically motivated target just re-enforces the perception that most domestic industries simply don’t have to worry about such a sophisticated attack against their facilities. After all, there is nothing that they have done that would attract the ire of the US or Israel or any other computer savvy country.

Of course, no one seriously thought on September 10th, 2001 that anyone would seriously consider flying an airliner into an iconic skyscraper in New York City. I mean, how could that be target (I know, some incompetent tried to blow it up with a truck bomb, but really…)? But remember, afterwards everyone saw it coming.

To avoid being second guessed after some future attack, what do we need to do to protect ourselves from an, as of yet, unknown probability of attack on an industrial control system? Remember the current IT industry standards of security would not have protected a facility from the Stuxnet worm. A number of people are suggesting that there needs to be a wholesale reworking of the ICS systems to a platform that is not as susceptible to attack. Others suggest that a comprehensive defense in depth standard would protect against most attacks and reduce the potential impact of those that do get through.

The first approach is going to be very expensive since the proposed systems don’t yet exist. They will have to be designed from the ground up and recouping the development costs is going to significantly raise the initial cost of these systems. Not to mention the lost production time involved in tearing out the old systems, installing, and tweaking the new systems.

What Facilities Really Need ICS Security?

Not every facility with an industrial control system is at risk of terrorist attack. The plant down the street that makes wigets and has a small tank of bleach that they use to clean the wigets is not likely to be attacked. The big time chemical facility that is producing chlorine and bleach and shipping it in railcar lots is certainly a potential target. Clearly the wiget factory does not need the same level of ICS security as the big time chemical facility. Where do we draw the line in between these two facilities?

For chemical facilities the line is easier to draw because of the CFATS regulations. By definition any facility covered under CFATS is considered by DHS to be at high-risk for a terrorist attack. Presumably, all other things being equal, those facilities that are not covered are not at high-risk of a terrorist attack. Even in CFATS, DHS has risk-ranked each covered facility into four tiers. Again, presumably the highest-risk covered facilities need the best security protections.

For other industries the line can get harder to draw. Energy production, because it is all linked in one of three(?) power grids and taking out one producer could have a serious impact on all other producers, certainly needs high-level ICS security. But how do your rank the security threat of automotive manufacturers or their suppliers. How about food processing companies or drug manufacturers?

The other question is do we just need to worry about terrorist attacks? Are there others out there that might want to attack a facility for some non-political reasons? We keep hearing rumors of attacks on facilities in Eastern European countries where the attack is executed just to extort the owners into paying cyber-protection money. Do we need to protect against the same thing happening here?

Public Discussion Needed

This discussion needs to be taken out of the realm of just the computer security specialists. They can provide the information on what is needed to secure these systems, but the value judgment of what needs to be protected is at heart a political discussion. Endless fighting about who is responsible for the current sorry state of affairs is a pointless exercise. We need to decide which systems need to be protected to which standards and then work towards that goal. And we need to get started pretty quick, no telling when the next 9/11 is going to start the public looking for people to blame.