Don’t forget about the C in Critical Infrastructure Safety, Security and Scalability: Mu Security Blog
At the recent SANS
SCADA in New Orleans, Eric Byres, Byres
Security CTO and Kevin Staggs, engineering fellow and global security
architect, Honeywell
Process Solutions discussed and demonstrated for the first time how undisclosed
serial-based critical infrastructure products, including those with IP-based
network architectures, are quite exposed to more safety issues and ultimately,
failures, in ways never before possible.
The SANS audience of 100+
participants witnessing the demonstration quickly realized that critical
infrastructure user’s combined use of common off the shelf (COTS) network
protocols (e.g. TCP) and SCADA-style process control systems exponentially increases
their safety compromise scenarios. Many
vendors now use open source libraries and outsourced development too. This often unknowingly increases product complexity
and attack surface coverage weakness risks multiply too.
Without effective cyber safety and security processes and certifications
(such as those being proposed by ISA’s
SP99 working group and the ISA Security
Compliance Institute), the most advanced process control technology may
become inoperative, even dangerous. Fortunately,
these standardized new processes will include automated negative testing
assurance to help stabilize network environments by quantifying product
robustness so plant safety and uptime both remain intact.
Comments:
Write a comment
- Required fields are marked with *.
|
