"Industrial control systems security," says Scott King Senior Director, Security Advisory Services, Rapid7 should be thought of "as a collective." TechRepublic's Dan Patterson spoke with King. The following is a transcript of the interview.
Dan Patterson: Scott King, Senior Director of Security Advisory Services at Rapid7. Thank you for joining TechRepublic in ZDNet today. I wonder if we could talk a little bit about cyber defense of industrial control systems. And maybe before we get into that can of worms, we could define what we mean by industrial control systems.
Scott King: Sure Dan. Thank you so much for having me today. When I think about industrial control systems, what that means to me is, electronics that operate things that are important. And whether or not we're talking about electric-generation plants, or we're talking about electric transmission systems, or we're talking about critical manufacturing within the United States. Those are all environments that operate and run very important, critical systems. And when I think about industrial control systems security, I think about all those systems as a collective.
Dan Patterson: What are some of the cyber threats facing critical infrastructure systems?
Scott King: Generally speaking, the type of threats out there range from nation-states sponsored actors, who could have invested interest in causing harm to our country, as well as the potential for insiders to cause challenges within organizations, either maliciously or inadvertently.
Dan Patterson: Are there any best practices for cyber defense, protecting these industrial control systems?
SEE: Cloud migration decision tool (Tech Pro Research)
Scott King: Absolutely. There needs to be a process where systems are evaluated prior to being deployed in production, so that the operators have a good understanding of what types of vulnerability those systems may be introducing into their environment. And they can design, what I would consider to be compensating controls around those. One of the challenges with industrial control systems, just in general, is that many of them have been developed on systems that work very well in operations, but they don't necessarily have all of the necessary cyber-security safeguards built into them.
Now, many of the manufacturers out there, they are now frantically reintroducing those cyber security best practices to their control systems, but there's still 15 to 20 years worth of legacy systems out there that are going to have to reach their retirement before they actually get replaced. The challenge to the operators is to design a protection scheme for those control systems that allows them to be protected within their network environment.
Dan Patterson: What are the stakes, Scott? I understand that these are critical systems, but for those of us in other industries, whether they're SMB's or enterprise company startups, why should we think about industrial control cyber security, and what are the stakes if something goes wrong? How important is cyber defense of these types of systems?
Scott King: In my mind, it's one of the most pertinent things for us to be talking about as a society. Cyber security of industrial control systems, and the negative ramifications of that, could be catastrophic. These systems control everything from the power that we consume within our homes, the gas that we use to power our water heaters and our stoves, the water that we drink out of our faucets, as well as the cleaning systems that are associated with making that water safe for us to consume.
Additionally, as we look at our society, and how dependent it is upon automation and the rich manufacturing industry that we have within the United States, those types of systems are incredibly important to our way of life. If, for example, a situation occurred that took the electric grid offline, or took the water system out, or stopped the critical manufacturing of something that we need to survive, whether it's things for our health or things for our food, that is going to create a ripple effect all throughout our society.
- How to build a successful career in cybersecurity (free PDF) (TechRepublic)
- Landing that infosec job: These experts share their best career advice (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- One in three cybersecurity job openings go begging, survey finds (ZDNet)
- Report: Despite growing security threats, CXOs struggle to find cybersecurity professionals (TechRepublic)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.