Many times I have wondered what really makes Cyber Threats for Industrial Control Systems or Real Time Systems that different from traditional IT systems. There are a thousands of documents that try and detail the differences and I am sure that most get the gist of the statement but few have tried to apply the thoughts in a real time environment. I think I will take a term that Dr. Jonathan Butts succinctly stated,
lethality. So if we all agree that ICS systems have a much greater ability to kill then we can also initially agree that they are more critical to secure with Cyber than traditional IT systems. OR… are they really. I think that with all of the years of trying to beat Cyber into ICS stakeholders, engineers and management I have missed the point. The solution is actually more simple than cyber, it is the physical systems.
Over the years the physical systems have slowly evolved into technology, and like most technology we have grown accustom to it idiosyncrasies, faults and really accept much more risk than we normally would. Many ICS client have migrated from robust electro mechanical systems that had many controls and safety devices designed to compensate for human error to PLC and DCS controlled systems. These ICS systems are computer controlled so human error seems like less of a factor and the traditional safety system have faded into faint memory. I am not saying that all safety systems have disappeared but many have.
So here is the thought. ICS stakeholders, engineers and management truly understand safety systems. These systems consist of physical controls, manual safety overrides and traditional checks and balances. There physical evidence that the system is functioning properly and simple test that Control Operators can run and understand. The “BLACK BOX’ of Cyber is removed from the safety side of the threat.
The real question is if a ICS system has the physical safety systems to control the lethal effects of a cyber attack, then is the SCADA system more like and traditional IT system. If so would this allow reduce both the risk and attraction of Cyber attacks?