ICS as a Service

Jake Brodsky has an interesting article over at SCADASEC Magazine about the need for and the costs associated with establishing an ICS lab; it is well worth the read for both technical folks and people who use industrial control systems. What struck me, however, was how expensive an operation this would be and how it would be justified to management.

A refinery, big-pharma, or an automobile manufacturing plant; sure they could afford it (and probably could not afford not to have it, sorry about the double negative), but I come from a background of small specialty chemical manufacturing plants. The biggest OT staff that I have worked with was a single control system engineer supported by a lonely tech. Other times, it was only a tech who was also the plant electrician. I suspect that the largest number of automated facilities have similar levels of staffing; the minimum number to keep an outside designed and integrated system in operation. Major problems…. Call the contractor.

And that reminds me, who has a security operations center (SOC)? Certainly not the places that I have worked. Again, could not afford the expense. But, both operations would really make any industrial control system more efficient, safe and reliable in the long run. Anyone that relies on an automated control system to keep product flowing out the front gate really needs the support provided by both an ICS-Lab and an SOC.

Maybe it is time for smaller organizations to stop relying on integrators to set up their control systems and start looking for a supplier of ICS as a service (ICSaaS; there you go, it is now a thing complete with fancy *aa* acronym). This would be a one stop shop that would provide integration services, security and efficiency monitoring, operator training, and patch/upgrade testing services. They could also provide data analysis services for process problem diagnostics and process improvement activities. In short, all of the ICS bells and whistles that the big guys take for granted and the small guys just cannot afford to even dream about.

And these ICSaaS guys could certainly afford Jakes ICS lab.

BTW: Jakes ICS lab would also be a good place to train ICS security folks. Just saying.