This time the question comes from an online forum where we were approached about the MSI Expert’s Opinions on an interesting topic.
Without further ado, here it is:
Question: In your opinion, what is the single most important question that security teams should be discussing with SCADA asset owners?
Adam Hostetler (@adamhos) replies:
Do your SCADA managers and IT have a culture of security? It’s still found that many SCADA industries still have a weak culture. This needs to be changed through ongoing education and training (like the DHS training).
This will help engineers and IT develop and deploy stronger network architectures and technologies to combat increasing SCADA risks in the future.
John Davis also weighed in:
I would say the most important question to discuss with SCADA asset owners is this: do you have short term, mid term and long term plans in place for integrating cyber-security and high technology equipment into your industrial control systems?
Industrial concerns and utilities have been computerizing and networking their SCADA systems for years now. This has allowed them to save money, time and manpower and has increased their situational awareness and control flexibility. However, industrial control systems are usually not very robust and also very ‘dumb’.
They often don’t have the bandwidth or processing power built into them for mechanisms like anti-virus software, IPS and event logging to work, and these systems are usually made to last for decades. This makes most industrial control systems extremely vulnerable to cyber-attack. And with these systems, availability is key. They need to work correctly and without interruption or the consequences vary from loss of revenue to personal injury or death.
So, it behooves those in charge of these systems to ensure that they are adequately protected from cyber-attack now and in the future. They are going to have to start by employing alternate security measures, such as monitoring, to secure systems in the short term.
Concerns should then work closely with their SCADA equipment manufacturers, IT specialists, sister concerns and information security professionals to develop mid term and long term plans for smoothly and securely transitioning their industrial control systems into the cyber-world.
Failure to do this planning will mean a chaotic future for manufacturers and utilities and higher costs and inconveniences for us all.
What do you think? Let us know on Twitter (@microsolved) or drop us a line in the comments below.
Cross-posted from State of Security