Wednesday, July 1, 2009

Smart Grid Security and Some Timely Truths Re: Industrial Control Systems

Industrial Control System (ICS) expert Joe Weiss of Applied Control Solutions presented on the Cyber Security implications of control systems at a recent Air Force Cyber Security symposium. This is new ground for CIOs and cyber professionals reared on IT systems and networking and these findings are important on their own.

However, in the context of the emerging Smart Grid, they are a timely and necessary wake up call. Two categories speak clearly to visitors from the IT world: which haracteristics of typical ICS deployments differentiate them from IT, and some popular security misconceptions or myths many harbor about them:

General ICS Characteristics
  • Management – Generally CIO not responsible
  • Administration – Generally not centralized
  • Patches – Generally not frequently applied (no patch Tuesday)
  • Threats – Unintentional is very important
  • Obsolescence – ICS replaced after 15-20 years
  • Remote access – Often necessary
  • Certifications – Not available yet
  • Educations/training – Needs to be for ICS
ICS Security Myths
  • Using Windows and TCP/IP “make it IT
  • External malicious threats are always the biggest concerns
  • Firewalls make you secure
  • VPN / encryption use makes you secure
  • IDS will always catch control system attacks
  • Higher-to-lower security zone connections are always more secure
  • Field devices can’t be hacked
  • You are secure if hackers can’t get in
It's worth your while to see Weiss' full presentation if control systems are new territory for you ... and the odds are, they are.

No comments: