Furthering the cause for critical infrastructure protection
Wednesday, August 13th, 2008ControlGlobal recently posted an article, “Advances Needed in Control System Cyber Security” discussing the Control System Security Program (CSSP).
Quoting:
CSSP has produced some significant risk reduction products, including a cyber security self-assessment tool, a detailed cyber security procurement language for control systems, a pocket guide to securing SCADA and control systems, and a set of recommended practices. CSSP has also set up a group within US-CERT to produce control-systems- related vulnerability notices, and CSSP teaches control systems security awareness and mitigation training classes. All of this information is available at http://www.US-CERT.gov/control_systems.
One of the most important initiatives CSSP has undertaken, Hoffman revealed, is the technology assessments they do under contract, and with nondisclosure agreements, for control systems vendors. “Basically, we get the hardware and the control systems engineers from the vendor, and we build a system and get it ready. Then our “Red Team”—that’s the attackers—get six weeks to invade and take control of the system.
“In four years of doing this,” Hoffman said, “we have never been stopped from gaining full operational control over the control systems.”
Now that’s what I’m talking about.
If industry can engage this kind of effort, I think they will be able to avoid ugly regulatory requirements that, IMHO, will generally be reactionary and low value.
From the looks of the CSSP, they are doing some really good things in control system security from a standards development and best-practices establishment perspective.
I’m an IT security guy, not a control systems security guy.
I hear a lot of complaining from the control system side that the IT guys don’t understand the complexities of control systems.
I’ll agree that there’s a lot I don’t know about control systems, but I also believe there’s a lot that the control system community doesn’t know about IT security.
But we can both learn from each other.
One aspect I think the IT security can bring is that, in general, IT security systems are constantly under attack, and we’ve had to embrace certain principles in order to achieve a degree of success.
Good IT security embodies the principles of:
- Secure by design
- Secure by default
- Defense in depth
- Constant monitoring and improvement the security posture
Though the same “technical security controls” I use in a corporate network may not work in the control system space, the fundamental principles can drive a good security practice.
Bill