The New Year is here already and with it marks the 10th annual Digital Bond S4 conference on industrial control system security. Experts shared a mostly optimistic mood for OT security in 2017. A summary of main stage highlights are below. We’ll comment on technical deep dives and our capture the flag contest in subsequent posts (spoiler alert: clean shirts for us, ‘pie in the face’ flag still stands!).
Optimism stems from market leaders releasing new generations of security hardened solutions. Security development lifecycle (SDL) investments are bearing fruit and ushering in a welcome shift in technology. At last, critical infrastructure providers can plot a course of upgrades and sunset their fragile, ‘insecure by design’ systems.
OSIsoft and the modern PI Server have contributed to this wide spread optimism with major releases in 2015 and PI API 2016 for Windows Integrated Security. SDL hardened application code on Windows Server core along with reference architecture using high availability and web application services for PI visualization is a very effective defensive strategy for the PI System.
Some of the S4 presentations documented the high cost of ‘digital carelessness’ with case studies on ransomware affecting industrial control systems to the ongoing targeted attacks on Ukrainian critical infrastructure. It appears no amount of bolt-on security solutions can keep pace with threats.
The US Department of Justice National Security Division and global law enforcement have ramped up activities following breaches in central banking (Bangladesh) and the SWIFT global financial network. Banking was once considered sacrosanct. Domestically, we observe the Federal Trade Commission filing a complaint against DLINK for failure to take reasonable steps to secure routers and Internet-protocol cameras. This is perhaps a ‘shot over the bow’ that all IoT solution providers will be watching.
Richard Clarke (former National Coordinator for Security, Infrastructure Protection and Counter-terrorism) called for regulators to impose a deadline for addressing critical infrastructure protection. While conceding an unfavorable political climate to force such a mandate, Clarke cited Y2K as model for accelerating massive updates.
Whether you believe Y2K was a preemptive success or over blown farce, the example has an interesting parallel with SDL because remediation was also code centric. A key distinction however is identification of potential issues. Testing for Y2K was straight forward, however this isn’t the case for cyber security.
Methods for assessing software reliability and security are potentially endless. Our objectives this year include metrics to monitor SDL processes. We are also studying ways to catalog and publish industry benchmark reports such as Microsoft binskim, Cyber-ITL.org, and Mozilla Observatory.
Adoption rate of hardened software versions in the field is still an elusive metric. In the meantime we have initiatives designed to provide you with improved visibility over your PI System infrastructure and health. You can learn more and provide ideas in just a few months during UC 2017 in San Francisco!