Posted On: Mar. 09, 2013
The emergence of a new landscape available to cyber attackers is here. The evolution of Industrial Control Systems to provide more effective and efficient data transfer has now taken remote access closer and closer to end field equipment. With the integration of IP based devices that live in a realm where they are fully connected to a system LAN, WAN or even the internet, devices that are intelligent enough to act and make decisions based on pre-defined parameters and devices that take the people component out of the loop, cyber attackers have a found an avenue to cause real world physical damage from the safety of virtual environments.
Legacy control system design philosophies, such as plain text traffic protocols and the use of default passwords are simple examples of how reducing the complexity of maintaining the system has now increased vulnerabilities in our contemporary world. Unfortunately, because of this in many control systems once you get through the perimeter, there is little to no security at all. More and more as regulated organizations need to meet specific standards and requirements to ensure they can operate in the market, the efforts behind using these devices to ensuring the system will run autonomously and safely becomes more difficult. The key is to find the balance to run the system at the most effective level to maximize economic gain and sustainability of the business.
With the fear and increasing risk of cyber-attacks from around the world and the fact that vital systems do not have to be taken down for very long to cause social disorder to spread fear and anxiety among the population, organizations see that they can no longer depend on perimeter protections to keep their assets safe. Reactive measures are being assessed and implemented for security controls in the form of system hardening techniques and authentication, network segregation and intrusion detection systems to name a few. Initiatives to educate company users and increasing awareness with policies and procedures are also coming to light. However, in full circle, proactive measures should be taken where the vendors must be pressured to take responsibility for secure control system products put to market.
Historically, operational technologies have lagged years behind IT technologies since many systems were built around the premise of maximum usability and availability with minimum security as a compromise. For any new system, upgrade or device replacement the procurement phase should involve rigorous assessment and requirement definition from the security features provided by the device/system vendor. Going to the vendor and indicating that cyber security is important to the organization and having them prove business viability is going to be maintained because they can demonstrate known vulnerabilities are secure and future vulnerabilities have an effective mechanism to be patched. In essence proving the product will guarantee resource and delivery promises. Vendors will soon begin to recognize the industry requires a shift towards sophisticated devices and systems that inherently find the balance between productivity and cyber security to protect our critical infrastructure assets that make everyday life possible.