The main challenge for industrial control systems is that the processes that control those systems are connected to critical infrastructure such as power, water, gas, and transport.
This means they require high availability, and it is not easy to interrupt those systems to apply security updates. Effects of any downtime means that it can affect business and millions of people, e.g. in case of an outage.
Organizations cannot risk any downtime if security updates could cause these systems to shut down or restart.
Many systems running in industrial organizations are between 10-20 years old. These legacy systems were not mainly built with connectivity and security in mind. Replacing these systems is not easy, and persuading organizations to spend money on new systems is difficult, especially when they see legacy systems are running fault free from decades ago.
Organizations sought to standardize and cut the costs by using commercial off-the-shelf (COTS) products. This means greater exposure to the threats with connections outside the industrial plants when industrial systems are connected to enterprise systems. There are good reasons to connect them, but they also involve risk of maintaining and securing these products. Some organizations are still running products that are not supported by vendors anymore, such as Windows XP and operating systems even earlier than that.
Organizations are not willing to update them not only because of costs and downtime but also because they will need to recertify the whole system to comply with industrial regulations.
Another challenge is the segregation of IT (information technology) Security and OT (operational technology) departments as well as a difference of skill sets between OT and IT.
Traditional management of both sides now appears to be outdated. IT department and security teams are rarely involved in ICS procurement, installation, and maintenance. ICS systems are commonly (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Babar Mahmood. Read the original post at: The State of Security