The problem with SCADA and ICS security isn't going to rapidly change for the better, no matter how bad the situation gets. Let's go ahead and accept the fact that Operational Technology (OT) environments are not able to withstand the degree of constant update enjoyed by traditional and future Information Technology (IT) environments. Complexity, cost, and culture are such formidable barriers at this time that our best short-term approach looks no better than a frantic game of "Whac-a-mole." Sure, long-term we can buy and implement better products - assuming the vendors provide us with better options - but for now, it would probably be best to assume your OT environments are not as secure as you think they are.
So what do you do?
To have any hope of "keeping the lights on," SCADA/ICS security should balance prevention, detection and response. You've heard it before. You've seen this portrayed on too many slide decks. So, has it truly sunk in? Simply put, you need to know that you can operate in a degraded capacity under duress with unknown system integrity. This usually means equipping experienced and engaged people with powerful and effective tools. It usually means changing architectures. It usually means changing culture. All of this means cost. Possibly BIG cost. Will the cost vs. benefit balance reach equilibrium or even tip in favor of benefit? In my opinion, yes. But not fast enough for many counting the coins.
[Photo by Maggie Smith]