"A lot of my ICS systems are running on Windows Server 2003," said Tracy Waller, a manager in the process and controls engineering division at Savannah River Site, the sprawling Department of Energy facility in Aiken, S.C. where nuclear-weapons-related tasks, such as processing tritium and managing waste, is done. Supervisory control and acquisition systems (SCADA) "don't play well with Microsoft patches," he noted. The problem is that it's not always clear ICS will work properly after Microsoft patches are applied. Sometimes vendors want customers to buy new ICS gear to keep up with Windows releases.
Currently, energy and manufacturing facilities are being openly warned by DHS and its Industrial Control Systems Computer Emergency Response Team that they are being targeted by attackers who will often try to infiltrate business networks, often through spear phishing attacks against employees, in order to also gain information about ICS operations.
While ICS and SCADA once seemed safely tucked away in the depths of engineering, they are now subject to security demands from the IT and security departments, and the two groups don't always get along. Eric Cosman, engineering consultant at Dow Chemical said cooperation there is fostered by inviting the IT division into the plants to promote constructive discussion and choices. But at the same time, he said he hoped IT security professionals would abandon the role of "high priest." Infighting between IT and the process engineers makes everyone look like "the kids who can't get things done," he warned.
The idea of cyberwar is starting to transform the once closed world of ICS vendors and users, forcing them to more vigorously debate the status of security on ICS networks. Based on much debate heard at this conference, there's tension between ICS vendors and users over security. Vendors say they want to improve their products, but when they do, they aren't even sure their customers know and make use of the security they provide.