Who Needs a Zero-Day? "Plants are Insecure by Design" - Dale Peterson
Dale Peterson of Digital Bond is one of the most respected security voices in the Industrial Control System community. He runs an annual SCADA security conference called S4 that's always filled to capacity and he has equal credibility with the U.S. Intelligence Community (Dale's an ex-NSA'er) and the private sector. His blog post "Suits & Spooks vs. Engineers" is a great read because it underscores an important issue: security engineers talking exclusively to other security engineers frequently results in nothing getting done. Here's how Dale put it in his article:
Over the past ten years have seen dramatic increase in cyber security of a specific DCS or SCADA system occur in two different ways:
(1) A CEO/COO determines that ICS security is a top priority. In this case the security posture improves dramatically in 2 to 3 years. The security posture is at a level that most in the ICS security community believes is near impossible or doesn’t exist.
(2) The Operations team determines that ICS security is a top priority. In this case the security posture improves to an appropriate level in 5 to 7 years. Improving ICS security is much more of a time investment than equipment purchase, so with the right emphasis and diligence over years an Operations team can get there.
So one key is to convince CEO/COO or those that influence CEO/COO that run SCADA and DCS that they need to get serious about securing their ICS. Convince them it is in their best risk management interest to devote resources to this and measure results. Unfortunately, we are reaching few if any CEO/COO at ICSJWG, WEIScon, SANS Summits, … or on this website.
Of course it would help if those active in ICS security would stop “the soft bigotry of low expectations”. The security deficiencies from insecure by design to basic security implementation vulns are frequently bemoaned, but the same people who recognize the dire situation more often make excuses that call people or companies out to fix the real problem.Please read Dale's entire article, and if you agree, please support Suits and Spooks Boston by registering to attend and spreading the word. And if you want to add your company's name to the event, we're still looking for one more corporate sponsor.