One of the common refrains heard again at ISA Expo is that IT firewalls are too difficult to configure and deploy. Several presenters, especially those promoting field security appliances, mentioned this, and it seemed to be generally accepted. While I’m all for simplicity and credit the vendors for trying to ease deployment, firewalls are simple compared to the deploying PLC’s, defining points in the SCADA database, developing displays, control loops, and the myriad of other detailed configuration required to make a control system work.
A firewall ruleset is as simple as defining rules by source IP, destination IP and port. Since communication in control systems is limited as compared to the corporate network, the ruleset is usually very small.
How simple is that compared to monitoring and controlling a complex process distributed over a plant or large part of the country with 5000 points or 100,000 points? I was introduced to control systems in 2000 and have worked on a large number of SCADA and DCS in a variety of industry sectors and I still marvel at the effectiveness and attention to detail in these systems. There is nothing in firewall or any other IT security system configuration that comes close to the complexity in configuring and deploying control systems.
So with firewalls the objection must be that it is a different technology and a potential source of failure.
In new systems, the factory and site acceptance tests have so many potential problems that adding any complexity, including security, is avoided if possible. If security is not considered a requirement, like redundancy, it will not be given the priority.