A quote similar stated that SCADA and basically systems controlling physical machines is the new attack surface. It struck me as obvious and non-obvious upon reflection. The security of these systems tends to be Facilities and not under the scope of concern of most CISO and certainly not the CIO. That is unless the organization is structured where such operating roles are under the General Legal Counsel or the COO. The structure of the organization as it relates to operational integrity, competitiveness, and ultimately compliance – security depends upon the organizational structures being adapted to the technology age. To often we forget the value of organizational strategy shifts, and this is one that will be necessary and provide valuable returns.
How can this trickle into the tactical operations of the business?
Consider this single example?
- What controls do you have on checking the version of the HVAC units (software version) powering your data center and or corporate offices?
- Is there a security control in place to have it; be sure it can handle the load, and testing to ensure it works? I imagine yes to all 3, as these are ABC of operations
- What is the version of the HVAC PLC / SCADA element that is being utilized by the vendor and monitoring teams that is accessible remotely?
- When audits occur, do they check to be sure the device isn’t the Siemens or other manufacturer that was just highlighted at Defcon or on the news?
If this is the new frontier, we need to start structuring organizations in a manner that are designed to care for these considerations to allow for business to be agile and competitive.
Thoughts (a bit of latitude on the above terminology is requested, given I am simplifying the example to avoid to much technical specification and confusion)?