This is a question that might not even emerge initially in the minds of IT security professionals. However, when we take a closer look, the differences are clear. Consider the history of IT and SCADA networks. The original “killer app” for IT networks was mainframe transaction processing. The original model for IT systems was a leger book – keep track of the money. The data in the leger book is what was important. This perspective continues to this day.
Where did SCADA networks come from? Before there were SCADA networks we controlled physical processes with switches, dials and gauges. When these were automated, gauges produced monitoring data, and switches and dials accepted computer control commands. Now think about this – how much do operations people care when someone far away takes out their binoculars and looks at our gauges, and steals our monitoring data? We generally care somewhat. Sometimes that data is a trade secret. The consequences of stealing monitoring data are similar on IT networks and OT networks.
Now – how much do we care if a stranger walks into our facility, walks up to our equipment and starts turning our dials and throwing our switches? We generally care enormously. Messing up the physical process can kill us, can shut down our billion-dollar production lines, and can corrupt outputs like clean water or pharmaceutical products. In short, tampering with physical processes put public safety at risk. Monitoring is data. Control signals are much, much more important than data.
IT security mechanisms are generally adequate to the task of protecting monitoring data. In contrast, they are completely inadequate to the task of protecting industrial control systems. So if we use IT security approaches and products to secure our control networks, then we are no more secure than IT systems.
This means that attacks can pivot between communicating systems, even systems with firewalls between them. Security is a continuum, not a binary value. This means that no matter what we do, there is always a set of attacks that will defeat us. Given the sad truth that all software can be hacked. All software has bugs after all, and some bugs are security vulnerabilities.
This is why industrial control security must be approached differently, and the best approach is to use unidirectional technology that prevents remote online attacks from entering the industrial control system.