Cloud Computing

I had finished my presentation on a wide variety of topics Big Data / Cloud Computing / Internet of Things / ICS remote access, and the Q&A had started. After stressing in the presentation that ICS data can be shared anywhere without jeopardizing the integrity and availability of the ICS, but non-emergency remote access to critical infrastructure ICS must not be allowed, I got the question that illustrates the challenge in making progress in ICS security.

Paraphrasing the question … “What you recommend is impossible, especially for the next generation of workers that expect to be able to make changes to the plant from their basement on their iPhone. Given that prohibiting remote access is impossible, what is your recommendation to secure it?”

IT’S A TRAP!!! and one that I refuse to play along with. The depressing thing was looking out at the audience I could tell that a large portion, a majority?, agreed with the questioner. An audience of vendors, asset owners, consultants, government officials et al that are looked at to define ICS security thought that it is inevitable and acceptable that critical infrastructure will be controlled from phones, tablets and laptops anywhere, anytime as a regular occurrence.

This is one of the reasons I have significantly reduced the number of ICS security events I attend and speak at. If the ICS security community was going to force change and solve this problem it would have happened by now. Change is going to come from outside the ICS security community or not occur until a very sad and tragic event or two happen. And this is not something I’m willing to wait for.

There were a number of supportive attendees who came up after the presentation. And please don’t misunderstand, I welcome disagreement on a presentation or solution (see Darren Highfill’s S4x14 Unsolicited Response), but not surrender. It is also important to note that there are a number of critical infrastructure asset owners that are doing, and are committed to continuing, what the questioner said was impossible.

This is one of many areas that the US Government and DHS could take leadership if they choose to. The DHS response to the insecure by design problem was not to focus on this as an issue that must be fixed. Instead DHS took the position that insecure by design would not be considered a vulnerability worthy of an ICS alert or advisory. It would have been surprising, but refreshing, to have someone from DHS push back hard on the inevitability of anytime/anywhere critical infrastructure remote control comment and say this should not be an option in critical infrastructure.

Attendees and others interested can see my Prezi online at this link. Admittedly, the picture based Prezi is a bit harder to understand unless you were there or the entire script is included.

Given this was a DHS event, I thought it only appropriate to focus on ICS that monitor and control the critical infrastructure. So after quickly dismissing the Internet of Things, with an interesting WEIS statistic, the bulk of the presentation used the GE On Site Monitoring / Atlanta Data Highway as an example.

Monitoring 1800 power generation systems in 60 countries is a great example of the promise and benefits of Big Data / Cloud Computing. It also is a big, fat, high value target. Does this mean that critical infrastructure ICS should avoid these types of services? Absolutely not. Just push the data to them so the integrity and availability of the ICS is not at risk.

Does Software as a Service (SaaS), e.g. an HMI in the cloud, have a place in ICS? While SaaS has no place in a critical infrastructure ICS, you can make an argument that an HMI in the cloud might be lower risk for a small municipal water utility than a completed neglected ICS with a weak security perimeter.

Tomorrow I’ll write about the rest of the ICSJWG event.

8 comments to My ICSJWG Prezi

  • RonF

    The “I agree with you, however, reality is that implementation is impossible” crowd is puzzling to me. The few I’ve talked to are too black & white when it comes to remote access. They either think that you are saying “disconnect everything” (which your atlanta data highway example clearly contradicts) or they cannot understand the difference between remote access from a secured control room over a dedicated network and “let me open this breaker from my daughter’s iPad in my hotel room”

  • I am one of those with the full range of experience living with and without remote access, My take: although it is technically feasible, secured remote access risks can not easily be justified.

    Few who ask for remote access understand what they’re even asking for. Almost none understand the underlying security principles that keep their access secure.

    As such, it is very hard to recommend any secure remote access scheme until at least some basic understanding of the security model, dependencies and trusts becomes commonplace.

    The question is what is at risk, what can be gained by remote access, and what effort is required to keep it secure. Then ask yourself whether that effort would be just as easily done with local automation or by sending someone to just look at the damned thing.

    Most of the time, you’ll find that it’s easier and safer to just send someone.

    I say this as someone who has been on call, gotten those calls at 2 AM, and lived with and without remote access for more than 25 years. We cut the wires to our remote access on September 11, 2001 and haven’t found sufficient cause to put them back yet. We have had one instance where, due to warranty service, an ignorant project manager specified remote access to a single substation on one of our plants. Without going in to gory details It went very badly for every one involved.

    Remote access is a great looking idea until you actually try using it. Been there. Done that. Got the T-Shirt, Wore it out, and then used the rag to mop up the mess.

  • Ralph M

    I might not be surprised that people would consider remote control as desirable and capable of being secured, but impossible? That is a little scary.

    I’m intrigued by the spearfishing episode too. Maybe this was old news but was the WW site compromised and used to track how many people clicked on an email from an unknown sender?

  • It’s not that remote access is undesirable or that it can’t be secured. The problem I have is that the training, coordination, tracking, and review is much more expensive than most people realize and the risks are often unknown to the people using it.

    The solution is indeed so expensive that other options, such as developing better alternate local controls are actually more economical.

  • Dale Peterson

    Ralph – the ICS spearphishing slides were from a S4x13 session. You can see the video at this link:

  • bryan owen

    ICS directly connected to the internet is worthy of top priority.

    Eliminating remote access except for emergencies seems like a viable approach.

    Why be normally discoverable on the internet? Especially for applications where ICS change orders are infrequent. There are elegant ways for operators to open the comms when needed and with approvals.

    One potential caveat involves remote admin access for the OT infrastructure. The cat may already be out of the bag If that service is already outsourced. Why deny remote access to your own people if inherently granted to your telecom provider.

  • At this time there are already major industry subsectors such as hydro power plants, water treatment facilities, or small chemical plants, that live on the concept of remote access — not for emergency maintenance, but for day-to-day operations of unmanned sites in remote areas. I don’t see a point in fighting the last war that was lost a long time ago. Having that said, as probably every reader of this blog is aware of, remote (VPN) access can be made secure.

    The other thing that puzzles me about this blog post is the idea that the US Government and DHS “could take leadership if they choose to”. What indications do we have that they could? I must say that I don’t see any. Anybody interested in a history of USG failure to address cyber threats is suggested to read the history lesson taught by Jay Healey in the first chapter of his book “A fierce domain: Conflict in cyberspace, 1986 to 2012″.

  • Dale Peterson

    Ralph – You may be correct that remote access is “the last war”, although it has not been lost on all fronts. The major point of the presentation was cloud computing / SaaS is the battle that is just starting, and we should not lose this one in critical infrastructure ICS.

Leave a Reply