Operators of critical systems need to accept that they will be targeted by attackers, warned a panel of experts on critical infrastructure at Infosecurity Europe.
Not only are hackers targeting industrial control, SCADA and critical systems in order to disrupt them, or to steal data, but control systems are increasingly connected to the internet, and even need to connect to consumer applications.
This, in turn, means that companies operating critical systems need to assume they will be attacked, and that an attack will succeed. Companies need not only to invest in defensive technologies, but ensure that they are resilient enough to withstand an attack, and to continue to operate.
"We need to articulate our defence and our response strategy to the board – you have to be honest," said Barrie Millet, head of business resilience, at energy company E.ON. "We are not going to stop being attacked. "There is technology and best practice, but it's about the response capability as well."
"Hackers are like water. They take the path of least resistance," said Trey Ford, global security strategist at Rapid7. "SCADA was not designed to be connected to the internet. And we are now seeing similar challenges with the internet of things."
An issue with both technologies, Ford said, is they are not designed with security in mind – but that engineers now want them to be connected to the internet.
"They don’t worry about things we worry about, like default passwords. And there is a consumer parallel to this in the Internet of Things: they are not designed by developers, designing security in."
In part, this is driven by practical necessity. "Control engineers need quick access to systems. Put complex passwords in place, and the next guy on shift who didn't get the memo can't get on to the system to fine tune it," warned Sean Newman, at Cisco. This, he suggested, poses an operational risk.
Operators of control systems, critical infrastructure, and the internet of things are adopting a more security-centric approach, however. This is especially the case where the technology involves consumers, as ensuring security, and privacy, is important to trust.
"Security by design is at the center of everything we do," said Barrie Millet at E.ON. If we don't have the confidence of users we will lose out."
And this, said Donna Dodson of NIST, is the key to making the transition from security for SCACA and industrial control systems, to the much wider security considerations around the internet of things.
For SCADA resilience and reliability are key. NIST's five-point framework – identify protect detect respond and recover – is a good basis for protecting systems, she said.
But in the internet of things, privacy comes to the fore, she said, not least because the data gathered by utilities' monitoring systems can reveal a lot about consumers' personal behavior.
"There is a tension between security and privacy," she said. "And we will see that with safety as well."