Legacy System Problem Keeps Growing

<blockquote>If you find yourself in a hole, stop digging.</blockquote> <blockquote>Will Rogers</blockquote> <p>The large amount of insecure legacy ICS and long ICS lifetimes mean we will need to live with this security risk for years / decades. We can argue about how long it should take to replace the deployed insecure-by-design ICS, but there is no disagreement that it is a huge problem. A big hole. Which is why it is so disappointing that we keep digging.</p> <p>This was brought to mind again in a tweet from Joe Weiss's session at the SANS ICS Security Summit last week.</p> <p>The key is that less sentence correctly pointing out that almost all systems deployed today add to the "legacy system" problem because they still have insecure-by-design PLC's / controllers and are using ICS protocols lacking authentication.</p> <p>Back in 2013 in my S4 introduction (see video clip below), I bemoaned the fact we have been hearing it will take decades to address the legacy system security problem in ICS every year since I was first involved back in 2000. By 2013, we had made virtually no progress in dealing with insecure-by-design Level 1 devices or unauthenticated ICS protocols. We were still decades away from solving it, and the problem had gotten much larger with more "legacy systems" being installed over those 13 years.</p> <p>The theme of S4x13 was NOW!, and the tag line was "If not us, who? If not now, when?"</p> <p>https://youtu.be/bZLbm7J2E8o</p> <p>It's now eight years after the NOW! themed S4x13 event, and we can look at what has occurred over those eight years optimistically or pessimistically.</p> <p>The pessimist's side is easier. Over those eight years 99%+ of the ICS deployed have insecure-by-design PLC's/Level 1 devices and use unauthenticated ICS protocols. Access inside the perimeter = compromise only limited by the engineering and automation skills of the attacker, and the capabilities of the Level 0 connected devices. We have increased the 'legacy system' problem with eight years of ICS deployments. We