What are We Doing
Wrong?"> What are we doing wrong when it comes to securing these systems? The operator interfaceswhere you see pictures of control rooms and whateverthe screens, thats Windows. Or Unix. Or Linux. You can secure that the way youre used to having systems secured. The devices that basically feed those interfacesthe actual controllers, the sensors, the things in the fieldare not Windows. They dont have secure operating systems. They are very computer-resource-limited. You cant do or apply the type of things you would to secure Windows.You spend your time trying to develop encryption. If you want confidentiality, you dont want people to be able to read things. Doesnt matter how many times you send things, as long as when it finally gets there, nobody could figure out what your credit card number was. In a control system, this thing has to operate within milliseconds. If you send something and it doesnt get there or it gets misinterpreted, bad things happen. Either things malfunction or it shuts down. So rather than keeping these control systems from revealing data, as is the concern in data security, we should be more worried about being able to determine if commands coming in are legitimate? Were concerned that wherever this data is coming from is where it said it came from. We care if output is 60 percent and not 6 percent. Thats what we care about. All this work on encryption is good, but its not all that relevant. Wheres the work on authentication and integrity? Theres very little [of that work being done]. So what youre saying is that security just doesnt translate well from the PC world into the system controls world? [Right.] Another thing is that we use different protocols. Were not just IP. You dont have all day to do a stateful inspection and try to figure out whats in there. Its very different. The technologies we need are specific to these systems. And we dont have that many people who know these systems. We have people developing Windows firewalls for control systems. How many of those do we need? Not many, Id think. Were not getting the things developed that we need developed. First and foremost, these systems need to be treated with at least as much security as you treat your mainstream IT systems. And thats what theyve refused to do. The industry? Neither NERC [North American Electric Reliability Corp.] nor the utilities are. They have refused to address [these issues]. Were trying to force the issue, myself, NIST [National Institute of Standards and Technology] and some others. NERC and the industry have made clear they dont want it at all. This whole thing is forcing what they didnt want to have happen. Some of it isnt even programming. A lot of it is getting the people who run these systems to work with people who know security but not control systems and come up with teams to do this. The bottom line is that the utilities simply dont want to do very much, and, consequently, what theyve done is written a standard that provides all sorts of exemptions and exceptions and ambiguousness so they can do as little of what they consider necessary and not have to do anything. Next page: How Does the Industry Get Away With Doing Nothing?
What people have done is theyve taken the normal approach, the old CIA approach with confidentiality, [etc.], and in the traditional computer world, [where] the thing youre most concerned about is confidentiality.