Re: One word:
I spent almost 20 years working for a multi-state mid-stream refining and pipeline company here in the US. While some of these comments that have been made are entirely accurate that you need some information flow to/from the control systems these days, there are certainly ways to make it "fairly" secure.
Our systems started out as old, completely isolated industrial control systems that were only accessible from dedicated workstations in the control room, which were not in any way connected to business systems. When the systems were upgraded, however, that was no longer practical, as they did need to get certain data out of it, and did need to at least be able to see the status of the systems remotely (*changes* to the system were not wanted or needed remotely, as like most companies of this type, the control room is manned 24/7).
The new ICS was still an *almost* completely separate network, including its own sets of redundant physical switches and fiber paths in the main facilities, plus private fiber-based ethernet transport from an ISP for connections between sites (even though private, those connections all still went through firewalls on each end that only allowed the expected control traffic), plus some number of private radio links for remote sites.
The only point of connectivity with the business networks, since there had to be one, was a (redundant) server provided by the manufacturer, with a firewall between it and the business network, which was configured to only allow the very specific traffic that needed to flow to and from it, which consisted only of application-specific ports and protocols for the ICS "view only" software application. That server, at an application level, did not allow any changes to be made to the ICS, and the ICS required custom network cards for connecting to the ICS network, which had physical dip switches on them to set an ICS ID number for that station, and only authorized stations could make changes on the network regardless of software restrictions.
All that, plus the fact that every ICS site had a firewall across its traffic to other sites, made for a relatively secure setup. Certainly random ransomware that got into the business network never would have been able to spread to the ICS. That's not to say that skilled, targeted attackers wouldn't maybe find some way in, but it at least would not be easy.
We also made use of 2FA for most things, had the business inter-VLAN traffic going through firewalls that limited it to what should flow, etc, so even on the business network a ransomware attack would have a limited reach.
It was, of course, a significant amount of effort to set up and maintain all of this, and I know there are many organizations that don't bother to do it properly. Having seen the state of inherent insecurity on many pieces of ICS equipment, I think that's a foolish decision on any company's part. ICS equipment is nearly as bad as IoT junk from a security standpoint, with things like hardcoded passwords, insecure designs, infrequent patching of any type, etc being the norm.
It continues to surprise me though, in this day and age, how little some companies secure themselves. It's even more unforgivable when you're running critical infrastructure. I now work for a fairly small financial firm that is NOT responsible for anything critical other than to us and our customers, yet we've taken a very security-focused posture normally only seen at larger enterprises. Hopefully more of you get to work with a company that understands the importance of security rather than just wanting to be able to tick some audit boxes and move on.
Biting the hand that feeds IT
