Pessimism Not Welcomed Here

by Mike Firstenberg

At the annual EnergySec Conference, no less than 8 speakers used a phrase akin to “It’s not if … it’s when,” referring to cyber compromise. We see news articles, blogs, training materials, and many other media take a similar stance, that the compromise of our industrial control systems is inevitable. We cannot start from this point. As a community of security professionals dedicated to the protection of critical infrastructure and industry control systems, we cannot take a defeatist attitude. Such an attitude dooms us to failure in our mission to protect the safe and reliable operation of our infrastructure.

Protection of industrial control sites (ICS) must be our first priority, not IT-style detection, response and clean-up. Today’s cyber perimeter protection technology offers much more than the Swiss cheese firewall options of two decades ago. Solutions designed to protect control systems and critical infrastructure, such as the Waterfall Unidirectional Security Gateways, make our mission achievable. We can deploy strong protection to eliminate the threat of online attacks from external networks. We do not need to assume that we will be compromised. With the deployment of modern ICS perimeter protection, we can stop our attackers and defeat the negative stereotypes of control systems vulnerability.

Detection, response, and recovery are still worthwhile, secondary goals. As a community we should be exploring all of the available solutions in these fields. However, while this class of contingency planning is important, protection must come first.

When we start with the decision to prevent remote network threats to safety and reliability, the path forward is clear. No pessimism is warranted or welcomed here in the ICS market.