Secure Default Configuration, Insecure By Design & Secure By Design
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
Admission: I’m adverse to large, multi-year programs. I don’t want to work on them, and I’m skeptical that they will achieve their goals. I favor a series of short term, quick and significant wins recognizing the Pareto Principle, 80/20 rule.
My initial impression of the US Dept of Energy’s Cyber Informed Engineering and CISA’s Secure By Design effort is they are well meaning, not wrong, and unlikely to make a difference in the next three years. I hope I’m wrong.
For the OT and ICS security world, we would be better off focusing on two areas where progress is achievable in the near term and would result in large cyber risk reduction.
Secure Default Configuration
Is the system delivered to the customer with the default configuration settings in their most secure mode? Are telnet and tftp turned off? Does the default password have to be changed at initial startup? In OPC UA are you required to approve certificates or use a CA?
The Secure By Default term is catchier, and misleading. It doesn’t mean the device or application is secure. It only means the most secure available option has been selected.
While the IT world has embraced this concepts since Microsoft dealt with worms back in the early 2000’s, the OT & ICS security community has rejected it. The largest blame goes to the asset owner, the customer, the end user of these systems. When vendors deliver a secure configuration it means more work and more problems. Of course vendors should work to reduce this work, this friction, but it won’t be zero.
When ISA99 began its work two decades ago, a secure default configuration was quickly discarded by a.near unanimous vote. Availability trumped all, and security could affect availability. In the 2012 a major vendor added a security feature that required changing the default password. Result: customer revolt, increased service costs, and near firing of the security team.
Are asset owners ready for a secure default configuration a decade later? If yes, this is an easier step for the vendors. Much easier than secure by design. If no, at least the vendors are increasingly offering the possibility of secure configuration settings.
What we were missing two decades ago and still today is asset owner demand, or at least acceptance, of a secure default configuration. Acceptance of the initial complexity and cost this will bring to the project and ongoing operation. Until this happens it is hard to fault a vendor for giving their customers what they want.
Insecure By Design
Yes … this again in 2024.
Insecure By Design Definition: Features and functions in a product or solution that allow an attacker to achieve their goals without exploiting some security vulnerability or misconfiguration.
Insecure By Design is different and much worse than a lack of Secure By Design. From a cyber risk perspective, eliminating all of the bugs leading to vulnerabilities in a product does little if the attacker can use a documented feature to achieve their goals. Features such as:
领英推荐
All without authentication!
Most of the ICS protocols either have or are developing a secure version that includes encryption (often not necessary) and authentication (absolutely necessary).
This would be the next step to add to the secure default configuration. Get these secure protocols into the solutions and set them as the defaults.
Two additional thoughts on the move to authenticated protocols:
Secure By Design
A few quick thoughts:
Yes. This is a good and necessary philosophy and design approach.?
There is plenty of information published on Secure By Design. Lack of information is not the problem.
No. It’s unreasonable for security to be free, no additional product or support cost for the customer. Maybe there won’t be a standalone security premium, but all prices will go up. And this is as it should be in a world filled with for profit companies.
The reducing consequences / engineering aspects of Cyber Informed Engineering are an area that is newer and less well known, less documented, and less practiced. It would be better if this area was focused on by the Dept of Energy rather than the holistic, let’s address everything approach in CIE.
One of the challenges of these large, multi-year programs is measuring effectiveness. The program meeting programmatic milestones and publishing documents is not success.
It would be better if the US Government used its influence to focus on and measure secure default configuration, secure ICS protocol availability and use, and the consequence reduction approach.
CxO Advisor | Digital Resilience Practitioner | Cyber Defense Expert | Zero Trust Ambassador | Standards Evangelist
1 年Dale Peterson, this is precisely what I have been preaching to my clients, and now you have documented it. Thank you for creating a reference. And you are right. It is not easy for the asset owners. There is too much happening around them to have the time to stop, take a breath, reassess, and then take these three extremely essential steps. And 2024 is the right time, IT-OT connectivity is the proper excuse, and digital transformation is the correct initiative. I am going to up my rhetoric on this. Yes, it will help if CISA provides guidelines, but cyber attacks will not wait until then.
Principal Engineer for Electric Grid Cyber Security | DNV Cyber Arena Manager
1 年You can’t eat the elephant all at once. But why should we not take steps to integrate security into engineering design? One bite at a time May look like starting with a more cyber informed design team. Once the design engineers and system architects under the risks, the process will take care of itself. The problem is when a change in ?business as usual“ is driven from the top down without sufficient guidance or awareness of the problem.
Head of Product Security at AVEVA
1 年x10 "Get these secure protocols into the solutions and set them as the defaults." Execution often demands a multi-year program because of lifecycle concerns whether IT or OT. Recent example: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848
Cofounder | ICS/OT Cybersecurity | OT security with OT logic
1 年After so many years of initiatives, free government training, and private companies hyping up the risk, the lack of customer demand is still at the root of the problem so we need to rethink how to address that. In a free market of for-profit companies, I believe an approach of "Informed by Design" is the most efficient step that all vendors can implement in their next software and firmware updates and immediately reach more people than the government has reached since the beginning.? Imagine if there were simple alarms/logs/notices built-in to every piece of ICS software informing engineers and operators of the low hanging fruit problems. What if PLCs and HMIs automatically had active alarms whenever their default passwords (or no password) was left configured or if there was communication with IP addresses in the public range? What if every time an engineer configured a new connection over an insecure ICS protocol, Studio 5000 or TIA Portal reminded them of the risks and pointed towards the more secure versions available in an Ethernet card add-on or new model? No one could claim ignorance of the risks and it could help naturally drive sales of the vendors' more secure offerings.
Tags, Nameplates , ID Products
1 年Thanks for posting