Early in his State of the State address at Security Week's ICS Cyber Security Conference on October 24th, 2017, Joe Weiss showed a picture of the first firewall: a two-millennia-old Roman ruin, a literal wall erected to stop the spread of fire. "It didn't work then, and it doesn't work now." He warned in strong terms of the vulnerabilities our industrial control systems continue to exhibit, and of the potential they have to produce widespread, serious, even lethal consequences.
Confusion over terms.
He also deplored the widespread confusions that surround discussions of industrial control systems (ICS). SCADA, for example, "supervisory control and data acquisition," is often used as if it's synonymous with ICS. It's not—SCADA systems are subset of the larger category. There's similar confusion surrounding the use of "cyber" and "cybersecurity" in the ICS field. "Part of the informal working definition of cyber is the IT understanding—someone's trying to steal your data. But what cyber means is electronic communication among systems. NIST and the Presidential directive don't mention 'malice.' In our world, there's a pretty good chance you won't be able to tell the difference between malicious and accidental incidents."
Malice comes in many forms. We tend to focus on the rogue insider, or the malicious attacker. People are familiar with Stuxnet, which changed control system logic to alter a process, and then changed it back so no one would discern its operation. But this, Weiss said, is exactly what car manufacturers (including Volkswagen) did with emission monitoring systems. "That wasn't a rogue insider, but a rogue company."
Other misunderstandings arise in discussions of edge devices, endpoints, and field devices. "IT considers an edge device a router, a switch, and so on. We [the industrial control system community] consider an edge device to be a sensor, valve, motor, controller. They are totally and completely different from IT edge devices."
There have, Weiss said, been some significant recent improvements in our understanding of challenges in the field. There's more focus on ICS cybersecurity, with an associated growth in the number of ICS cybersecurity providers and the general development of more ICS network expertise. We now see more direct monitoring of ICS networks, including deep packet inspection. "At least some vendors" are building secure-by-design control systems. "At least some vendors" are addressing Level 0 and Level 1 devices. Government, the insurance sector, Wall Street, conferences, and influential authors like Richard Clark are showing more informed awareness of ICS security. There's been a positive trend in government research and development programs, both domestically and internationally. And we're seeing progress toward developing ICS cybersecurity standards.
But much remains to be done.
We continue to suffer from lack of technical ICS cyber security expertise. Tim Conway (of SANS) on the GridSecCon modern malware panel with Robert Lee earlier this month said that we "must understand our real challenges: lack of ICS cyber experts and poor understanding of the adversary. The adversary knows our system better than we do."
Thus, Weiss said, we suffer from a lack of imagination, and in particular we've failed to address the lack of security in Level 0 and Level 1 devices, those closest to the physical processes, and most remote from traditional IT understanding. We've failed to develop and use a sound vulnerability assessment, a gap analysis methodology, for those Level 0 and 1 devices. We've not yet succeeded in bringing an understanding of ICS cybersecurity into the boardroom.
Above all, Weiss argued, there's a major problem with the field's culture. Control systems people tend to find security an impediment: "It hurts; it's not natural for them." ICS cybersecurity is about the process: safety and reliability. The network is important if the process can be affected, and we need to understand the process, the physics, and the interaction of systems. "Our challenge isn't information assurance; it's mission assurance."
Conclusion: safety and security are related concerns (and intent is less important to us than many think).
There have been more than a thousand deaths to date from cyber-related ICS incidents, and billions of dollars have been lost, Weiss said. Safety and security still need to be coordinated. They're related, but they're not the same. Safety is "part of our DNA," but security is not.
Weiss argued that standards aren't adequately addressing Level 0 and Level 1. Among the issues to be considered are vendor equipment notifications, forbidden operating zones, and lack of interlocks. Within an organization, he advocated establishing a cross-disciplinary team that reports to the C-level, "a living ICS cybersecurity program" that integrates operations, maintenance, engineering, IT, telecommunications, forensics, risk, public affairs, and so on.