Editor's Note: this is an excerpt from the Pike Research Blog.
The story goes that a group of business people were stranded on a desert island with a bountiful supply of canned and therefore imperishable food, but no way to open the cans. As the group struggled to find a solution the lone economist in the group piped up, “Assume a can opener…”
No one single solution can provide complete security for ICS networks. Image Credit: Amco Houseworks
Sometimes it seems that’s how we approach industrial control systems (ICS) security. “Assume a secure perimeter…” It’s not fair to expect any single product or any single vendor to provide complete security for ICS networks, and yet we seem stuck in a world of point-solution purchases and security without any overriding architecture. It’s as if we’re saying, “If I can just get me some [insert technology of the week], then I’ll be secure.”
Barely 3 weeks into the new year, I have already had wonderful briefings from companies whose products lock down privileged IDs, ensure clean networks by detecting attacks at network choke points, heuristically identify attacks though behavior analysis rather than signatures, protect control networks from the lawless jungle that is enterprise IT, and so on.
All of these approaches are good, and all of them are necessary. But in isolation, none protects an ICS network. Cyber security still begins with risk assessment, not product purchase. Every utility is a business, and every business is unique. So before you go ask for this year’s cyber security budget, do a little planning. Skip the shortcuts.
To the utilities that have a shopping list of security products but no overarching plan how to use them: You might be amazed how much you can save in deployment and ongoing maintenance with just a little thought. Over the years I’ve seen countless companies purchase a less expensive product without planning how it would be supported. A bargain is no bargain when it requires an excess staff of 10 full-time employees for 10 years to support it.
To vendors happy to show up at a utility and sell only their product: think about your customer as a business, not an account. If you don’t see enterprise security planning going in, bring in some help. Maybe that help is a systems integrator, maybe it’s just a single security assessor. Maybe it’s collaboration with other cyber security vendors or even – gasp! – a competitor. No matter what, understand the whole problem, not just the problem that your product will fix.
There is some cause for encouragement. Compared to 2 years ago, vendors are much more likely now to tell me that they are part of a full cyber security solution. Utilities have become much more methodical in their approach to cyber security – especially as OT teams have become savvy and made their reliability requirements part of cyber security projects.
Does your organization do big picture cyber security planning? If not, do you see a transition in that direction? Let me know your thoughts.
Senior Research Analyst
Practical SCADA Security thanks Bob Lockhart and Pike Research for this article.