Industrial Control Technologies Cybersecurity. Time to wake up.

Sometimes one has to make an effort to balance opposing feelings. This is the case since I work in cybersecurity issues. I have devoted much of my career to work on public infrastructures design and construction, mainly water treatment plants. As an engineer I was in charge of industrial processes and associated control systems design: physical processes, electrical system wiring diagrams (power and control), network architectures and control components, etc. In short, the process and associated SCADA systems. I‘d like to think I did a good job.

I have witnessed the evolution undergone by those systems in the last years, which could be exemplified in something iconic: the end of traditional control panels with their red and green lights and analog gauges. I remember when I saw, for the first time, one of those old fashioned panels replaced by a 42” screen, nearly as big as it could be those days: an amazing thing to see, for sure. Now, surrounded by computer engineers, it feels like swallowing the celebrated ‘The Matrix’ red pill. From my new assignment, I can see in new light those times in which we engineers adopted all that computer technology with a kind of ‘Victorian era’ faith in progress. It’s hard to explain how it feels as I realize that, in most cases, we’ve been building castles on sand foundations. I’m becoming aware of the situation as we find more and more equipment and control systems exposed to the Internet without minimal security measures. I’m not kidding you. I’ve seen them. It’s kind a terrific moment when you fully understand that you have in your hands the power to completely stop a factory’s manufacturing process from your very desk (real case). But who can be blamed for not stopping in a red light when one has never seen a traffic light?

Now it is time to wake up. The threat looming on thousands of systems is just too real and there are no excuses allowed. Nevertheless, in most cases, the first reaction is denial or disbelief. It is easy to understand since attack mechanisms are, in most cases, almost unthinkable for those in charge of these facilities. So, where to start? Here are some tips to my fellow engineers working on the field. May be repeated like a mantra every morning:

1. The risk is real. Yes, also to me.
2. Maybe I can’t think of any reason for an attacker to aim to us. Never mind. It’s not my reasons that matters, but his reasons.
3. The size of my organization or system won’t help me, and even less compared to others. If my system is attacked I will sustain 100% damage, irrespective of my size.
4. In these cases it is worth remembering the joke about the two guys running away from an angry bear. One of them puts on his footwear in order to run faster. The other guy regards it as useless, deeming impossible to outrun the animal. Then the first guy states: “I do not want to outrun the bear, but to outrun you.”. Our first goal is not to be the easiest target of the shooting range.
5. Asking questions is a good first step. Start with this: What is the current status of my system?
6. Finally, remember: we are all responsible, in varying degrees, of the cybersecurity of the systems we work on. Think of what you do, but also of what you don’t.

Don’t keep waiting for the first blow to come. In the words of Bob Marley: ‘Wake up, stand up …