"An attacker with ICS knowledge would use the features rather than an unpatched [vulnerability] to compromise the system," Peterson says.
Of course, not all IT systems are the same. Security experts agree there are scenarios in which a lower level of security is acceptable.
Perry Pederson, a principal at The Langner Group, says those customers who have taken steps to harden and isolate systems should be more confident that they are protected. However, it is harder than ever for companies to know for sure that air-gapped systems aren't accessible from the Internet or an adjacent network. Critical infrastructure vendors and operators often rely on cellular networks and wireless technology to remotely manage their infrastructure.
This presents a tremendous convenience, but customers and vendors often fail to comprehend the risks that go along with that convenience. The result has been the increasing exposure of systems that were long viewed as unreachable, thereby surfacing security failings not considered meaningful enough to address when those systems were designed.
If security issues around unmanageable devices look bad now, the near future is even worse.
The computing landscape 10 years out will be vastly different than it is today, thanks to growing adoption of portable, sensor-rich, Internet-connected devices — the so-called Internet of things. Many of those devices will operate outside of traditional IT environments.
As opposed to computing environments of the past two decades, these will not be technology monocultures; Microsoft dropping support for an operating system like XP will matter a lot less. But a different kind of monoculture is emerging in its place: one of commodity hardware — the inexpensive processors, controllers, and sensors already in use by everyone from Fortune 100 manufacturers to crowdfunded "smart device" entrepreneurs.
Speaking at a recent conference in Cambridge, Mass., Dan Geer, Chief Information Security Officer of In-Q-Tel, the Central Intelligence Agency's investment arm, warned that the proliferation of smart, embedded devices that are both long lived and unmanageable creates the conditions for massive disruption if flaws and other exploitable vulnerabilities in common components used across commercial environments and critical infrastructure lead to what he terms "common mode" failures and crippling cyber attacks.
Such systems — smart refrigerators, in-pavement traffic-monitoring systems, or crop-monitoring drones — may be of negligible importance individually, but already pose a serious threat "at scale," Geer warned.
"That combination — long lived and not reachable — is the trend that must be dealt with, possibly even reversed," Geer told an audience at The Security of Things Forum.
What is the proper response? Security experts say there is no quick fix. Consultants such as Digital Bond's Peterson work with infrastructure operators to understand their vulnerabilities and take reasonable measures to secure their IT environments from likely attacks. But with so many legacy systems that are so lacking in basic security features, the risk of compromise is always there.
Sign up for CIO Asia eNewsletters.