Eric Byres disagrees with my NOW! presentation and disappointment that he went the SCADA Apologist route. Check his article and comments on it out. Below was my clarification and reply on his site:
You summarize the disagreement fairly, and in a civil way, for the most part my friend (yes Eric and I actually get along well despite some severe ICSsec disagreements). A few minor clarifications:
- You drop the “critical infrastructure” adjective. Each country should have identified the critical infrastructure ICS and be prioritizing those. I think most others should replace their insecure by design devices as well, but if the impact is primarily restricted to the business owner than they can choose to accept the risk. Our hope is Project Basecamp, S4 and other efforts will help inform them of the risk they are blindly accepting now.
- For modern PLC’s, upgrade may be a better word than rip and replace. A number of the PLC’s could be secured by replacing the Ethernet card with a secure version. The cost of this card would likely be less than the cost of a Tofino, both in product cost and lifecycle costs.
- I believe you are not characterizing Reid’s comments correctly on the importance of endpoint security. He did give Tofino a great review when you could block function codes, but if you must allow writes or the dreaded Function Code 80 through, Tofino lets it through. Not a product fault, but a reality. In the end, I’d encourage readers to view the presentation themselves and decide. http://www.digitalbond.com/blog/2013/01/28/s4-wightmans-tofino-raves-limitations/
Finally the key is for the critical infrastructure to replace or upgrade these insecure by design PLC’s and controllers NOW! After I say that, I always get the question of how long it will take. We see these programs typically taking 1-3 years. If an owner/operator says no it is a 2-5 year program, I’m less concerned about the time frame rather than them starting the process. This will break the “Endless Cycle” that a previous commenter described.
Or as many people have told me, we can wait until something really bad happens and then do this on an expedited, less thoughtful, more expensive effort.
I’d encourage people to see my NOW! introduction to S4x13, http://www.digitalbond.com/blog/2013/01/25/s4x13-now-and-the-scada-apologist/, if you want a better understanding of the SCADA Apologist thinking, which is rife in this thread and in our industry. I’ll also be going into this in a lot more detail and examples in “You Have No Integrity” at the SANS SCADA Security Summit in two weeks.
Digital Bond, Inc.