Three Legs to SCADA Security

Wednesday, November 2, 2011 @ 05:11 PM gHale

Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
On one hand, industry is becoming concerned about just how vulnerable control systems have become to outside attacks. But the irony continues as new tools and applications that increase that exposure are appearing daily.

It is a well-proven fact human beings are terrible at making good judgments about risk. We badly under estimate the risks of very infrequent, but serious events (black swans). We lean toward decisions that are beneficial or efficient in the short term, as long as the consequences are sufficiently long term. We underestimate the risks for things we can control (like driving a car), but over estimate the things we can’t control (like being in a plane crash).

Standard for Security in Action at NSA
Survey: Users Abide by Security Policies
Roadmap for Energy Cyber Security
Top Research Priorities for Cyber Security

This is not just a fact for security related decisions. We are bad at any risk-related decision – health, personal safety, financial planning and so on. Consider the poor smoker – neither gruesome images of cancer victims nor graphic warning labels prevent them from opening those packs and enjoying a drag from their next smoke … Only when a health crisis is upon us, do most of us modify our behaviors.

For SCADA and ICS security the story is the same. In the battle between making a task easier and making a task more secure, nine times out of ten, security is going to lose.

Of course, safety and security do triumph sometimes. Smoking rates are falling, workers in factories are more safety aware and driving deaths are declining (at least in the developed world).

Typically these wins come from one of three causes:
1. Sustained educational programs.
2. Enforced management of behaviors.
3. Simplified risk reduction technologies.

Consider driving deaths due to car accidents. The combination of massive educational programs on the risks of driving without a seat belt, laws requiring the wearing of seat belts, and the introduction of improved safety technology (such as antilock brakes and air bags) in automobiles all drove the death rate downward. All three have been critical legs to the solution. All have been expensive and slow to see significant results. But they do get results.

ICS and SCADA security needs to take a page from the lesson book of safety, especially industrial process safety. Significant progress has been made in this area over the past two decades:

Years of repeated safety education programs have slowly made safety top of mind for anyone entering an industrial site.

Well-designed standards like IEC-61805 (Functional safety — Electrical/electronic/programmable electronic safety-related systems) and IEC-61511 (Functional safety — Safety instrumented systems for the process industry sector) have led to well-designed safety strategies.

Significant improvement in the technologies and ease of use for safety integrated systems (SIS) has made deploying a safe process an economically viable reality.

All three have been critical to achieving safer plants and factories.

We are not going to be successful at making our factories and infrastructure more secure unless we embrace education, standards and technology as the three legs of the solution. Furthermore, each leg needs to be well-designed. Education that is sporadic, poor regulations that reward compliance rather than results, or technology that is complex and cumbersome will doom the quest for better security.

Regarding technology, the battle between security and efficiency has to end. These two characteristics need to become one, that is, the cyber security solution itself must help the plant become more efficient. The technology should allow the business and its engineers to achieve their goals.

Robust yet simple and easy to implement cyber security technology, sustained education and well thought out standards are all required to end the battle between security and efficiency – and truly protect our plants and critical infrastructure.

Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.

Leave a Reply

You must be logged in to post a comment.