Protecting critical assets: the current state of ICS security
Early this week, internationally renowned security technologist Bruce Schneier took to Reddit for a live Q & A. When asked by Reddit user Hideoos, “how would you rate the current state of ICS security? Are IT-based solutions the way to protect our systems or more endpoint protection? This is an issue with many utilities that are currently on the fence as to where to place their budget,” Schneier dove into the root of the security issue. In short: it’s “pretty lousy”.
What’s now known as “Schneier’s Law”, Bruce has been cited on a number of occasions stating, "Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. It's not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis". To this end, who is to say a security system is secure? The creator of a system may not be able to hack it, but guaranteed someone out there can. So, then, what happens when security is introduced where security was never designed to be?
When it comes to the security of our industrial control systems (ICS), Schneier comments, “we’ve managed as well as we have so far mainly through the obscurity of those systems. That’s failing as the newer systems use more standard protocols, operating systems and applications.” As smart devices advance into smart buildings and smart grids, our interconnected world is growing exponentially—losing this obscurity and gaining vulnerability.
Nation-E CEO Idan Udi Edry finds that the nature of this problem lies within these new operating systems mentioned by Schneier. “The main systemic vulnerability lies where OT systems meet IT networks, creating a gateway for attacks. These malicious attacks can result in deactivating critical infrastructure with devastating results,” Edry says.
In terms of a solution, Schneier believes “we need both better solutions in the network and better endpoint security. At the technological level, it’s no different from other computers.” Returning to the original question posed by Hideoos, Edry offers his own answer, stating that it does not have to be either/or. An IT-OT based solution can follow through to endpoint security. For example, our Nation-E solution provides end-to-end security for critical infrastructure, operational technology (OT) and the Industrial Internet of Things (IIoT) systems.