Cybersecurity continues to be a big problem for the world at large and for control systems specifically. The amount of time and effort that it can take to simply keep all of the security patches up to date on a large control system can be mind boggling. No matter how up-to-date the security patches are, however, and no matter how well the network was designed, there will still be security vulnerabilities in the system. Why is this? This is because of the large number of security vulnerabilities in the underlying software used throughout the system.
At the time when most of today’s control systems were developed, the software engineers were not aware of the root causes of security vulnerabilities in software. This is because this information was not known at the time or it was not widely disseminated. As a result, there are likely a large number of security vulnerabilities that exist in control systems software. Until recently, hackers had not focused their efforts on these systems and instead focused on more prevalent software such as operating systems and web browsers. But since the advent of Stuxnet, hackers have turned their attention to control systems. Given the potential impact of an attack on these systems (shutdown of power grid; injury or loss of human life) it’s nearly certain this trend will continue.
What can be done about this problem? At this time, the control system user community has taken the lead in addressing the security problem. As a result, the solutions have focused on patching and network security rather than solving the problem. From the point of view of a user of software, security vulnerabilities are going to occur and nothing can be done about that. What can be done by the user community is to try and secure the network with firewalls, intrusion detection systems, and virus scanners. Additionally, pressure can be put on the software developers to release patches when vulnerabilities are found, and the users can ensure that all of the latest patches are installed. However, none of these methods address the root cause of the problem, and we are always a step behind on solving the security problem.
Fortunately, over the past ten years tremendous progress has been made by the security community in understanding the root causes of security vulnerabilities and finding ways to prevent them from occurring in the first place. Most security vulnerabilities are caused by bugs or flaws in the software itself. Therefore it is in the application of security best practices during the development of software that must be done to eliminate the root cause of the problem. Given the sensitive nature of what is being controlled and protected by these systems, it is imperative that these principals be applied to development processes and existing products as soon as possible. It starts with training control system software developers on integrating security into their software development life cycle.