Plug-and-Play ICS

There is an interesting adverticle (my blog, I can makeup words) over on ChemicalProcessing.com that advertises a wireless control system device with what is described as ‘plug-and-play technology’. This is hardly a new concept as the Windows® environment has been using this type of device linkage to make home (and business) computers much easier to expand. It also lowered the computer skill level necessary to operate these more complex computer systems.

Now I don’t know anything about the device described in this article so I can’t make any statements about this particular implementation of the ‘plug-and-play’ concept in industrial control systems. It does raise an interesting question, however; do we really want to lower the skill level required to implement an expansion of an industrial control system? Won’t this just aggravate the existing control system security problem?

We already have a situation where there are not enough control system engineers available to ensure that there is someone on-site at critical infrastructure facilities to make reasonable decisions about security issues with control systems, to test and validate patches, or to monitor systems for potential attacks. With plug-and-play expansions of the control system technology we will be allowing the expansion of already complex systems without the necessary technical oversight to ensure that such expansions don’t make existing security and safety problems more common.

Emerson is certainly a respected control system manufacturer and has only had a few security issues identified by ICS-CERT (here, here, here and here) so I would like to assume that they have created a module here that is free from any readily identifiable security concerns. But if they do discover a subsequent problem, will a plug-and-play facility have the expertise to identify the need to patch the device firmware, be able to test the patch to ensure that it does not create more problems than it solves, or even be able to implement the patching process.

And, of course, if plug-and-play becomes the next ICS have-to-have sales gimmick (and management will have to love this for reducing engineering overhead) then we will have to contend with the problems associated with other vendors that do not have Emerson’s level of security design and implementation expertise.

I know that I am a voice crying in the wilderness here, but until we get the industrial control system security situation under control, we really don’t need to be making it easier to deploy or expand such systems without adequate in-house control system expertise.