Anyone who watches the news knows that there are an enormous amount of vulnerabilities within the Industrial Controls Systems (ICS) industry and the market is inundated with problems. The White House has issued an executive order and subsequently PPD-12 to address the need for Critical Infrastructure Security. The overarching problem is that ICS systems are focused on reliable real time information with redundant hardware to prevent data loss or mitigate equipment failure. This core design paradigm essentially negates security at all levels. Now with the changing landscape of the ICS world the focus is split between the needed legislation, hardware manufacturers and asset owners.
The government is toying with legislating regulations for critical infrastructure; vendors are haphazardly working to mitigate problems with products, while the asset owners are bewildered. All in all the industry as a whole seems unaware of the inherent security vulnerabilities the System Integrator (SI) introduces. Not only does the SI have trusted access into customers’ facilities they are many times connecting unknown equipment to customer systems. With direct access to your live production system you need to understand the risks. If you include the fact that the SI maintains all of the of customer data on its internal servers, the SI holds all of the keys to a disaster. Even with pending legislation there are no plans for oversight or regulation of System Integrator’s. Not only are SI’s not prepared to secure customer information they continue to be oblivious to the risks that they introduce. Many would even argue against the potential of being a target of an attack. To worsen the problem, a SI would never know if they were the root cause since they are not the final target and therefore would continue to maintain a casual attitude regarding security. Therefore, the SI is a storehouse of critical information and a perfect vector (carrier) for the transmission of malware or other harmful applications.
With the ever changing cyber landscape knowing how to vet a SI’s security posture is critical to understanding your risk. Regardless of the vector, production downtime is not acceptable on the ICS space. Not knowing the risks in also not an acceptable answer.