How many times have we encountered a situation where some part of the software industry starts small, in a closed environment, then grows and attracts a lot of attention before realising that things were not designed properly for this changed environment? On a large scale, I would say three times. It happened with the Internet, operating systems, and system and industrial control systems (also referred to as SCADA). This transition from a closed environment to an open environment inevitably exposes aspects that were overlooked during the development phase. The speed of this transition will only exacerbate the situation. Because SCADA systems are currently going through this transition I will call this a “SCADA Syndrome.”
In all three instances the exact same scenario has been repeated. This is clearly visible in the case of the Internet thanks to documents (Request for Comments -- RFC) that are publicly accessible. RFCs describe building blocks and protocols that form what we, today, call the Internet and are available on the Internet Engineering Task Force (IETF) web site. The earliest RFC is dated April 1969 and they continue to be published in the present day. The style for how the RFCs are written developed through years but it is interesting to note that a “Security consideration” section is absent from virtually all RFCs before 1990. Even when this section became mandatory in 1990, it was very often left blank (actually, it contained the sentence “Security issues are not discussed in this memo.” which amounts to the same!) for the next few years. We are not just talking about informational RFCs but also the ones marked as “proposed standard.” This practice changed around 1993 when a real effort was made to assess security aspects of RFCs.
Overall, we can say that security did not play a big role in the thinking that shaped some of the basic Internet protocols and features in the first 24 years of the Internet. Needless to say, some of these protocols are still in use today and because of that we are suffering from the lack of security considerations that were taken when these protocols were conceived. Obviously, there were always security conscious people but, generally, security assessment was not deemed a required part of any new proposal until 1993.
Operating systems went through the same scenario. Outside of the community that was using Multics (which is defence and intelligence), very few people were really considering security implications of their work. It took a long time to realise that security must be the integral part of the development of an operating system. If we take Microsoft as a popular example (and the most used operating system) then it took 21 years. 21 years is the time span between the release of DOS (not to be confused with DoS that stands for Denial-of-Service attack) in 1981 and the Trustworthy Computing memo sent by Bill Gates in 2002.
After 50+ years, the SCADA industry is also moving to address security issues and an absence of security in these systems should not be tolerated. Given their long presence in the industrial environment SCADA systems are ubiquitous and vital at the same time, which is the worst possible combination if security is not properly implemented.
SCADA is gradually waking up from its 50+ years of sleep and we should be appropriately scared by the lack of security in these systems. Given their long presence in the industrial environment SCADA systems are ubiquitous and vital at the same time, which is the worst possible combination if security was not properly implemented. And all signs indicate that security was not put in the forefront when SCADA systems were designed and developed.
But let us cast our gaze toward the future. What should we expect next? The next big things on the horizon are Internet of Things (IoT), smart metering, smart grids, and home appliances. Lucky for us it seems that we will not have to wait 20 years for security to become an integral part in these areas. A lot of attention is being paid to the security aspects of the protocols that are being used in these upcoming areas (IoT, metering, grid and appliances), but that is only one part of the story. The second part of the story involves users and their expectation.
Almost everyone has a very definitive expectation of how a TV or a light bulb should behave and that certainly does not include actions like patching these devices. Also, people usually do not consider the privacy aspects of looking at what is in a refrigerator or that the electricity supplier would get hints about your upcoming journey from your car. However, that is what will happen in a not too distant future. Your refrigerator will sense that the marmalade jar you just returned is almost empty and it may automatically place it in your online shopping basket at your favourite grocery store. Your electric car may signal to the utility company that it will use more power overnight to charge the battery because you just sent your trip plan to the car’s navigation system and the trip will be rather long. Both actions can signal when/if you are at home and your future plans.
Thanks to peoples’ expectation as to how our various appliances should behave we will expose ourselves to new risks, some of which are hard to even predict. Great care is being put into the technical aspects of new things (IoT, grids, etc.) but almost nothing into user education--not only children but adults too. Everyone is being exposed to new technology; however, everyone is not being exposed to an adequate understanding of the challenges and changes that these new technologies bring. The education component is missing and it currently appears that nobody is trying to fill that gap. Schools are introducing programs about good online behaviour but that is not enough and is only scratching the surface. We should introduce sociotechnology as a new subject, not only in a school’s curriculum but as a part of our lifelong learning. Newspapers should have a permanent section that would deal with sociotechnology and we should also have TV shows covering the same area. Lifelong learning is the only way forward as things are changing very fast. What we have learned five years ago may well be inadequate today.