At the same time that many organizations are scrambling to insert protective firewalls for their Automation systems, business and operational needs are increasing the inter-connectivity of the systems that need protection. In the case of automation systems the real risk might be the inability to monitor the operation and respond to changing operational dynamics and less the improper access by a small subset of individuals. Because of these competing requirements even when strong perimeter controls are implemented they rapidly atrophy in effectiveness. Firewalls become so riddled with holes that their ability to provide control functions is severely limited. It is naive to assume that control systems can be isolated.
Look having outside connectivity sometimes provides more value than the risk it incurs. This is especially true for monitoring only systems. Say there is a rig or other high location that has a reading that has to be taken periodically. By having an RTU up there it is no longer necessary for some one to climb up. As a matter of fact they don't even have to get in a truck to drive out near it. They can read it from the comfort of the maintenance shack. That is a huge safety improvement. Now a lot of people would argue that this is simple but for many organizations they are still climbing ladders to get readings on a regular basis. Installation of a cheap and easy RTU literally can save lives here not to mention adding to accuracy and precision which will ultimately result in savings. Even 1% or 2% can mean the difference between profitability and loss for some low end sites and they cannot afford complex security arrangements.
(By the way Tofino might be an answer for them. Eric has the site up for his new company. I'll post more later after I get a chance to talk to him.)
In a different scenario you have a large complex site with thousands of variables. In a location like this the interconnection to the PCN provides many many essential functions. Many actually most significant accidents could have been avoided by having the right people know the right data earlier. Historian feeds to external aggregation points allows engineers across the world monitor and troubleshoot. Expert talent can be pooled and can always see data from major sites. Subject matter experts can see the data real time. Not only can this improve safety and efficiency in a lot of companies it is and has. Other improvements are in logistics (both supplying and planning production to feed customers), maintenance, capacity planning, and many others.
Suffice it to say that these systems need to talk to the real world and vice verse. Firewalls are a must (at least for open and closed loop controls) but just like in the IT world their utility is out of date and waining. More needs to happen. Mike at my company likes to use a statement (that he claims is several steps from its originator via the CTO of N-Circle) that fits this process.
"Firesuits not Firewalls."
I don't think anyone is advocating complete elimination of firewalls the key is that they are not enough.
Patching has to happen and has to be able to happen quickly. Access controls have to exist and be enforced. Behavior based protections have to be applied (within reason). Memory protection should be considered. It is essential that you know what your environment looks like and what it is vulnerable to using tools like Nessus and CoreImpact. Things have to be measured.
The environment has to be monitored.
Not all of these will apply to every system of course but overall all of the tired cliches need to be followed. The key is that they are essential in SCADA systems as well.
The perimeter is leaving SCADA because there is more good to be gained than bad (like it or not from a security perspective) so it is time to adapt your security strategy.
20 November, 2006
Fact # 2 - SCADA Deperimeterization is here