Why Control System Cyber-Security Sucks...

by Dr. Stefan Lders
Sept. 23, 2017 0 comments Black Hat belen_caty Pen Testing & Audits cyber-security ICS

Vendors and manufacturers have pushed "Industrial Security" appliances onto the market, or claim that their products are now with "enhanced security". A cacophony of standards have emerged, and certification schemes are offered. But does this help? Given the increasing interconnectivity of ICS (SmartMeters, later the Internet-of-Things), shouldn't the direction be more towards standard IT than sticking to a dedicated ICS IT? Why is it that I can patch a computer centre over night, but not a control system within a year? This presentation will not give the answers but outline why control system cyber-security sucks and which hurdles we encountered to handle ICS cyber-security like that of our computer centres' A change of paradigm is needed, and this change must start with people and not with technology.