I read the brief ‘Industrial Cyber Security for Dummies’ with some interest, as it’s a field I’ve been involved in since 2003. Several of my colleagues in the pen test team have previously worked in utility SCADA control rooms, so also had a read.
It’s a good primer to ICS and SCADA, though I’m not sure who the audience is meant to be. Any security professional in the utility sector will likely already have a deeper knowledge of ICS than this book offers.
However, it does have a place for industries where ICS security isn’t front of mind. I’m thinking of process control, production lines, chemical, pharmaceutical, automotive etc; industries where there isn’t already oversight from government and related critical national infrastructure bodies. It’s here where an outage wouldn’t necessarily cause power cuts or stop the water flowing, but could create huge business interruption issues.
The book also has a place for insurance underwriters: helping them understand the threats to the clients they insure, helping them discuss real world risk with their clients and helping set premiums for their BI policies appropriately.
It also covers the significant differences between IT and OT: explaining the significant differences between availability and integrity that help stop nuclear plants from blowing up!
There is a significant omission from this book though: it doesn’t discuss the risk of conducting security assessments and patching ICS.
‘Critical Security Control 4’ as discussed in the book is clearly a pitch for the services that Belden and Tripwire offer. Testing of live ICS environments is rare and requires great care and expertise. Use of automated services to push updates to ICS components such as PLCs and RTUs carries significant risk also.
The risk of testing in live environments is significant: even a simple port scan can brick some PLCs, to the point where it needs to be re-flashed. If that controller is in use, the risk of causing outages cannot be underestimated.
All testing of ICS should be carried out in a non-live, replicated testing environment or with extreme caution and years of experience.
To conclude, the book is a good intro to ICS. However, it really needs another chapter that discusses the stability risks to industrial control systems from security assessments.
Otherwise, a CISO may commission a security exercise, bring in software & services to push patches to ICS and inadvertently brick the entire production system…. Or worse.