Which part of our infrastructure is expendable?
When most of today’s best practices were documented, 4-5 years ago, security measures such as firewalls, VPN’s, antimalware, security updates, others, were seen by most practitioners as adequate protection from the then-pervasive, modern threats of the day: professionally produced viruses, worms and botnets. In the last half decade though, this assessment has been challenged. Traditional best-practice security technologies are all software-based. All software has defects, and some defects are security vulnerabilities. In practice then, all software and all software security technologies have discovered and undiscovered vulnerabilities. Today’s pervasive, modern threats routinely defeat software security technologies.
In the last half decade, hardware-enforced security measures in the form of Unidirectional Security Gateways have come into widespread use, and are becoming part of best-practice guidance. With this industrial cyber security alternative now recognized as a best-practice, ICS security practitioners are increasingly asking “If software-based security measures fail to protect even IT networks from compromise, why would we use them to protect our ICS networks? Which of our ICS networks are expendable?”