Defense Will Win (In ICS / SCADA Security)
While there is much to be pessimistic about in the short term related to ICS cyber security, the almost universally held view that offense will have a long term advantage in cyber conflict is wrong. The S4xEurope video below begins the argument why Defense Will Win in ICS / SCADA security.
The two main points for those who don’t want to watch the video are:
- The history of conflict shows an ebb and flow between offensive and defensive predominance, including in new types of weapons and arenas of conflict. Scholars and bright minds have predicted long-term offensive superiority in the past. One notable example is prior to World War 1 in Europe, obviously an error given this was the deadliest and prolonged defensive struggle to that point in history. It flies in the face of history that the defense will not find a way to gain the advantage in the cyber realm.
- We have a preposterous definition of offensive success. If success is viewed as any access or impact to anything control system related, then yes, offense will always have an advantage. A more realistic, and effective from a resource allocation standpoint, definition of offensive success is causing an unacceptable impact to the ICS. Note that an attacker can consider his attack a success while the defender brushes it aside as a mere nuisance.
The hack of a rarely used flood control gate in Rye, New York was considered a prime example of the state sponsored attacks on the critical infrastructure that warrant concern. In reality it is a rarely used neighborhood water control system. Even if Iran decided to control this gate it could not seriously be considered an offensive success in attacking US critical infrastructure … because it is not part of the critical infrastructure.
The cyber attack on Ukraine that caused a power outage to 230,000 people for 1 to 6 hours on 23 December 2015 is debatable as to if this is an offensive success. This time and scope of outage is not unusual for utilities. If management approves a 6 hour recovery time objective (RTO) and this is met, then the offense has not succeeded.
I have continued to work on this topic and line of thinking, and on Wednesday I’ll write on the biggest advantage that defense has in the ICS realm.