Everyone knows that security starts simple—patch your machines. But what about the ocean of un-patchable technology that run the daily operations of so much of our critical infrastructure? Industrial Controls don’t live in the world of Patch Tuesday—equipment is amortized over 30-year mortgages and the operating systems can be just that vintage. Not to mention the sheer insanity of bringing down a whole line to patch a system that may or may not come back up with the same efficiency or run-time. Don’t expect simple or unicorn-dust solutions—this is going to hurt.
You wouldn’t buy a ladder whose maker shrugged about safety. Demand better of your suppliers, because in this world safety relies on security. Write it into the contracts starting now. If they want repeat business, they’ll start doing things like offering patching support and testing anti-malware solutions on their own products. Suppliers need to start ensuring their own products include standard security settings—closing dangerous ports, using encryption rationally, etc. Demand that they set security as a default and document it thoroughly—we want to know when we’re choosing to make ourselves more vulnerable to make something a tiny bit faster or more accessible. And you bet they better be reporting vulnerabilities and providing fixes, pronto.
No, you cannot eat the entire ocean or boil the whole elephant at once. So, get yourself acquainted with a way to understand how risky each sort of thing is, why it’s that kind of risky, and then decide what to tackle first. If you’ve got a bunch of XP systems chatting with the public internet and connected to anything on your plant floor, you might want to look at them first. If you’ve been acquiring equipment for 10-15 years, chances are there’s a stratification of technology that you can use to prioritize your actions based on risk. Get yourself a Risk Management Framework!
We know how to build out new capacity, launch a new program, tear down a line, etc. So, we know how to make a list and check it off. Put cybersecurity in the maintenance queue, add it to safety buy-off; whatever it takes to instantiate it in the hearts and minds of the folks on the floor. Identify the most vulnerable of your systems (Risk Ranking FTW!) and get them scheduled for remediation; leverage the same systems you use to plan any other activity on your floor. Even if you’re only able to patch three systems each week, those are three systems that ransomware won’t brick.
So why even do it? Because if you don’t, a simple bit of ransomware from 2013 that would never even burp your enterprise systems will lock you out of all your controls systems one afternoon, and you’ll be stuck paying or screaming to your suppliers for replacement HMIs for a whole plant. Because if you don’t, you’ll find your enterprise digital forensics team on the phone with the FBI trying to untangle how some PLC got re-programmed to make a machine move when it shouldn’t have.
Legacy systems exist everywhere, even pristine enterprise data centers have a relic bumping away in the corner, because some antiquated process requires it. In the industrial controls space, our air gaps, our badging security, our physical controls—all of it is defeated by the tiniest thumb drive or “cost saving (!)” remote access connections. The long game is our only path to sustained security. Hold our suppliers accountable for In-Box Security, security by default. Know what you’ve got and what it’s going to take to secure it. Grind. It’s not a 6-month plan. If you’re average in scope and resources, it’s going to be a 5, 10, 15-year plan to get yourself clear of most of what’s inherently insecure out there. Commit to it. Keep your leadership a little scared, and get it done. We can’t afford not to.