Industrial cybersecurity group gathers lobbying force A number of the world's largest manufacturing and cybersecurity companies are getting behind a new consortium aimed at protecting industrial systems from threats. The Operational Technology Cybersecurity Coalition (OTCSA) is targeting the end-to-end industrial flow for a wide range of manufacturers, including Coca-Cola, …
As long as the book-keepers keep speccing IT systems, the wrong tools will keep appearing in the wrong places. And even when you have control it's a challenge to do well.
I have seen disastrous OT setups built upon DOS, Win98, XP, OS/2 and myriad others persisting decades beyond their intended service lifetimes in industrial control systems. Either as a front end HMI, or actual processing/decision making.
Of course, in world of air gapped gear, updating is a rather different affair to on toxic internet; however; when a modern solution to a problem inevitably revolves around throwing a wifi router into the loop of those old systems...
New stuff is arguably even shorter lived and harder to patch manage without risk; because of course an awful lot of new stuff includes shiny fan dangled USB. (See Stuxnet and the air gapped Siemens PLC's infiltrated by USB). See also, new suppliers want to sell you new stuff so enforced obsolescence through patch management is a thing.
Easy to poke holes in the problems. Rather more difficult to do anything about them.
I work for the government and occasionally get involved in national procurement work.
The weighting given to cost is always huge (40-55%), meaning that unless the company can't fill in paperwork they are almost certainly guaranteed to get the work if they are the cheapest by a decent margin.
There are lots of safeguards obviously but most of those don't help as they never have enough strength behind them, there's always compromise which by the time you have awarded framework access is too damn late.
Security/data protection should be a massive portion these days, I'd argue on equal weighting with cost with the rest coming down to usability - so the most useful system has a positive edge too.
It'll never happen, bean counters won't let it.
Not that this industry isn't in desperate need of help and guidance, but this clearly looks like the people who made the problem trying to sell a fake cure to the problem they created. If the organizers of this group had a shred of credibility they would have put their own houses in order 15 years ago or more. The idea that these systems will remain, or ever were, fully air-gapped was always a myth.
This is a cynical attempt to cash in on the backlash they brought on themselves, and to shield themselves from external oversight by creating yet another toothless and unaccountable trade body they can hold up to ward off effective regulation their industry so badly needs.
Yeah it's harsh, but how often do they think we will fall for the same scam? The answer is always the same, one more time. Maybe prove them wrong for once?
But now there's no need for any government regulation because they are self regulating.
Except there will need to be a regulation making it illegal to report on any cyber-attack (for national security reasons) and to prevent companies being sued for any damage caused to their customers
Based on who is involved I wouldn't expect much of consequence from this group. I suspect their main focus will be on repackaging basic IT industry practice and using it as an excuse to fend off any trend towards mandatory regulation.
Aside from ABB (who are at best second tier), there isn't the buy-in from the major vendors whose cooperation is actually needed to make a difference.
Link: https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack?t=1649876371852
And as far back as 1984, Ken Thompson warned about rogue compilers on the loose:
Link: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
Is your development environment trustworthy? Or might it not be a source of trouble.....not because your production environment has been hacked (e.g. ransomware etc.).....but because the applications created by your own developers...those applications have unknown flaws designed by bad actors!! Would you even know??
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
