Many IT security vendors have a minimal understanding of industrial control systems (ICS) and try to sell technology that could easily damage the devices found in plants running the nation's critical infrastructure, experts say.
In a recent blog post, Joe Weiss, a well-known expert in industrial systems who has testified before Congress on cybersecurity, took the IT security industry to task for believing it can provide ICS security with only slight modifications of existing products. This approach, Weiss wrote, showed no understanding of the technology that the vendors were trying to protect.
"Before they really start providing technology that's going to be applied at the real-time control layer, they better have a lot of domain expertise," said Weiss, founder of consultancy Applied Control Systems and former technical manager for the Electric Power Research Institute. By domain, Weiss means the actual control system within a substation, power plant, refinery or pipeline.
Too often, vendors are trying to apply security designed for protecting data in a traditional information technology network, which has very few similarities with a network of ICS devices, experts said. For example, in the former environment, a malware-infected computer is simply taken off the network. The same approach in an ICS could lead to a catastrophe in a power plant, manufacturing facility or oil and gas pipeline.
"If you do that on the plant floor, you'll blow things up and kill people," said Walt Boyes, editor in chief of Control magazine and ControlGlobal.com, which specialize in covering the automation industry.
Within an industrial control environment, the data is only important in terms of what it is telling a device to do, such as opening or closing valves, increasing or decreasing the pressure of liquids flowing through pipelines or raising or lowering production temperatures in a manufacturing plant.
"One of the big things we care about is [machine-to-machine] authentication," Weiss said. "We don't care if you see it [the data], but we damn well care that it's actually coming from where you thought it was coming from."
Security vendors tend to be Windows centric, which is the dominating operating system within IT environments. In an ICS, the technology often include proprietary embedded operating systems, 1200 baud modems and applications where using a 286 processor is considered modern, Weiss said.
Such limited resources are not something IT security vendors are used to dealing with. For example, the processing power used in a typical update of signatures in antivirus software would take down some ICS devices for six to eight minutes
Even the most innocuous tasks in an IT environment could spell disaster in an ICS. For example, pinging all the devices in the former to see which hardware is running could easily cause a controller in an ICS to shutdown.
Sign up for CIO Asia eNewsletters.