Well done for Shell for drawing public attention to the serious hazards presented by cyber attacks on physical machinery. Unfortunately it’s much too late. Today’s critical infrastructure is riddled with security vulnerabilities and insecure external connections. SCADA systems have been under attack for more than two decades, many since they were first deployed. Yet security standards remain weak, despite continuous growth in the power and sophistication of both the systems themselves, and the threats to them.
Many government and industry authorities think the answer is better awareness and public-private dialogue. Unfortunately, that’s far from sufficient. We already have plenty of that. What we’re missing is better solutions and incentives. In the case of SCADA security, I expect that all the major players are generally aware of the risks, but the available solutions are inadequate or unpalatable.
Fixing the problem cannot be left to the marketplace. Companies will not willingly rip out insecure platforms, disconnect operational systems or spend a small fortune on higher security solutions. Tougher regulation is the only solution. But there remain two barriers to building an effective stick.
The first is that today’s security standards do not guarantee high security. They are based on outdated collections of controls, designed for a business environment that was less connected, less externalised and less threatened. They promote light-touch security management systems rather than strict engineering disciplines.
The second is that few of today’s so-called best practices are incapable of withstanding a professional attack. Security has become a commodity, based on cut-and-paste policies, commercial off-the-shelf technologies, and testing based on routine platform scans rather than imaginative attacks. We have built a dangerous monoculture of identical defences which have been progressively eroding.
The security community needs to raise the bar rather than embrace low cost, convenient solutions. No less than a revolution is needed. Compliance is not healthy unless it encourages innovative solutions and enforces effective rather than commonly accepted standards. Unfortunately such thinking is far too radical for most regulators and standards committees.