The following is from Eric Byres, an expert on cyber security, particularly in regard to manufacturing information systems. Most of it originally appeared on Tofino Security's Practical SCADA Security blog.
For me, the highlight of the June International NCSC [Netherlands National Cyber Security Centre] One Conference was the plenary speech by Jon Callas, titled “Security and Usability in the Age of Surveillance.” Jon’s talk focused on Bring Your Own Device (BYOD) security, but it raised some questions that are core to cyber security in the 21st century.
BYOD controversy revolves around the possible security issues that arise when employees use their personal mobile devices to access privileged company resources. A common example is using your iPhone to access your company’s email system. Does using personal devices on the plant floor increase or decrease corporate security?
The first question Jon brought up was the real goals of any security policy or program. While security traditionalists talk about ensuring confidentiality, availability and integrity, Jon suggested the real goals can be divided into two more general ones:
- Maintaining safety
- Maintaining control
Most of the time, the reason given for a specific security policy is safety – for example, securing a SCADA system to ensure the safety of the processes, people and products. This reason is hard to argue with.
In reality, there are many security policies that have nothing to do with safety; instead, they are about maintaining IT control. Now this isn’t necessarily bad, but it is a lot harder to sell compared to the safety argument. So the safety excuse gets rolled out every time.
Jon then explained how this relates to the BYOD controversy. When mobile devices first came onto the market, the IT department loved the BlackBerry. Like the mainframe and the central server, the BlackBerry architecture centralized everything. Every email you sent and every note you made passed under the watchful eyes of the IT department. Any other mobile device was banned because it was “unsafe” for confidential company information.
Unfortunately for BlackBerry, the real customer wasn’t the IT department, but rather the end user. When the user was a lowly engineer or a salesperson, the iPhone, iPad, or Android could be safely ignored. But once company CEOs started to buy iPhones and saw how effective they were, suddenly IT had to start accepting other mobile devices.
The flood gates burst open and soon iPhones and Androids dominated the corporate world while BlackBerry withered to a shadow of its former glory.
Yet to this day we still hear lots of crying about how insecure personal mobile devices are and how the IT department has to “bring the problem under control.” There are endless pitches for BYOD security products and no shortage of corporate policies (many of questionable effectiveness) intended to “manage the problem.” The reason always given is the “safety and security” of corporate intellectual property.
But is the iPhone or Android really the security risk the IT world claims? Or are they just annoyingly difficult to maintain centralized control over?
Sure, smartphones aren’t perfect, but how many truly effective rootkits have you seen for attacking iPhones? Now consider how many rootkits there are for taking over PCs. How many serious mobile device vulnerabilities have you needed to quickly patch in the last year? Maybe two? And how often do you have to install a critical Windows, Java or Adobe patch on your PC? Every week?
As Jon put it: “Antivirus software for the mobile device is not exactly a growth market.” In fact, it may be that personal phones are actually more secure than all the other devices that are welcomed by traditional IT.
Smartphones are also more carefully guarded by their owners. Jon quoted studies showing that, on average, people noticed and reported a missing phone in less than 20 minutes compared to 24 hours for a missing wallet. If someone stole my laptop on a weekend, it could be two days before I noticed. And once an iPhone goes missing, the remote wipe features are very effective. I doubt my IT department could ever wipe the laptop they gave me if I happen to lose it.
To be clear, Jon is NOT saying that mobile devices are perfectly secure – far from it. But all the evidence suggests that they are more secure than any other common computing device currently in use. Thus the argument to tangle up iPhones and Androids in red tape is just an excuse. And industry might just be better off from a security point of view if we embraced — or even encouraged — the mobile device on the plant floor. It certainly is worth considering.
I often think safety as an excuse for control is common in airport security. Many of the restrictions and processes required by both the TSA and the airlines with the “We’re doing this for your protection” justification appear to be a way to make the customer easier to control (or are an excuse to cut services).
For example, The Atlantic magazine reported that a TSA employee confessed to reporter Jeff Goldburg that the purpose of enhanced pat-downs was to make opting out of full body scans so unpleasant that everyone would quiescently choose to go through the scanner. This would make the inspection process quicker and cheaper for the TSA.
Causing people frustration never leads to better security; it just encourages rebellious behavior. This is doubly true for the industrial world. It is human nature that people (especially engineers!) only have so much patience for security policies that make their job harder to do.
Institute a few security controls that offer clear safety benefits and people will respect them. Throw too many controls in a person’s way and they will find a way to circumvent them so they can get their job done. Unfortunately people don’t necessarily pick the least effective controls to ignore – they might obey the ineffective measures and bypass the important ones.
Thus, as SCADA security professionals we need to pick our security battles carefully. After listening to Jon, I will be looking deeper into the real goals of any SCADA security policy or technology I am exposed to. Is it really helping make SCADA and ICS safer? Or is it just a way to make control easier? Is it addressing the real risks? Or is it just for show?
Fail to ask these questions and we risk creating a backlash against the whole SCADA/ICS security message. And that will be a loss for the entire industry.