Patch Me if You Can (Cyber-Informed Engineering)
A continuing challenge in ICS security is the concept of “insecure by design,” or the idea that industrial control systems don’t have security built into their engineering and architecture.
Hardly a new subject, it was solidified in the community as part of DigitalBond’s Project Basecamp efforts (for a glimpse into S4s of old, check out Reid Wightman’s presentation at S4x12 https://www.youtube.com/watch?v=dtadMIN3CCc) and has gained new traction as a phrase of the day.
Like Shodan, or “Air Gap,” we in ICS tend to fixate on negative examples and experiences of the ICS cybersecurity challenge.
That’s why I’m thankful for a new focus spearheaded by INL (Idaho National Laboratory) and others this year. The antithesis of “insecure by design” is “Cyber-Informed Engineering,” which looks forward into the future and challenges us to find opportunities to build in cyber security instead of bolting on.
Here are some excellent resources for Cyber-informed engineering:
The Source
https://inl.gov/cie/
The Strategy
https://www.energy.gov/sites/default/files/2022-06/FINAL%20DOE%20National%20CIE%20Strategy%20-%20June%202022_0.pdf
This was further expanded upon by Andy Bochman and Sarah Freeman, adding an important qualifier: “Consequence Driven.” Important because in industrial security, it’s not enough to fear the theoretical or real “threaty threats” or put too much focus on CVEs (https://synsaber.com/industrial-vulnerabilities/).
The impact on operations or “consequences” must be considered to provide practical risk evaluation.
The Source
https://inl.gov/cce/