"There are only about 500 people in the world who really understand industrial control system security."
I heard this comment at an event recently, the Siemens Automation Fair in New Orleans. It was stated by Marc Ayala, ICS/SCADA security manager at Cimation, a security solutions company specializing in automation, industrial IT, and enterprise data solutions, including oil and gas.
I wasn't sure if I heard correctly, or if Marc may have been off base, so I followed up with him after the event. He didn't back off the statement. He did qualify that he was referring to people who are protecting the control system side, and not the enterprise or IT security.
Marc got into security by accident, sort-of. While looking at his company's enterprise, he said he was "baffled by the fact that most of my historians had connections to legitimate machines. I gave this list to my IT guys, who agreed that the connections were to valid machines. However, they didn't know who those machines belonged to."
The machines were on their network and were pingable, but they weren't sure what they were, where they were located, or who operated them. That's a pretty scary situation. But unfortunately, it's far too common.
When you think about industrial security and what needs to be protected, think about the three P's -- people, property, and production. Clearly, safety is the No. 1 element. That typically refers to people and the environment. Property is pretty obvious, but comes in after people, obviously. With respect to protecting production, sustainability is the key. If production goes away, business goes away. That's clearly a bad thing. You could argue that too often production shows up as No. 1 on this list, although not too many people would admit it.
Here's an element of security that I would not have thought of (I'm clearly not on the list of 500): Adobe Acrobat Reader is the de-facto standard for control systems deployed to read your online manuals. Adobe Acrobat is a crucial vulnerability point.
Many security intrusions have exploited the limitations of Adobe Acrobat, including both the Reader and the Updater. Unfortunately, too many users don't keep that application up to date. Far too many users are running older versions of Acrobat Reader. Not only could an intrusion affect the system it enters through, but it has the potential to bring down an entire enterprise.
It's a scary situation. Make sure you're running the latest versions of all your software, and seek out one of the 500.