The Tofino blog has a post by Bob Radvanovsky that is quite an important issue for many ICS owners and operators. I've seen internet-connected water control systems with my own eyes, and have reported everything from building management to electric substations directly connected to the internet to ICS-CERT, vendors, owners, and anybody who will listen.
It's a great irony to me that the blog post appears on Tofino's website. I have a great deal of respect for Tofino's hardware and software, but their overarching message concerning field device security is muddled. Eric Byres and other SCADA Apologists say that removing insecure-by-design field devices in favor of secure-by-design ones is simply impossible for asset owners.
What we're seeing is that the alternate strategy of SCADA Apologists, wrapping everything in blankets of compensating controls and intrusion detection, simply isn't happening.We aren't doing much better in securing things by design, unfortunately. Recently it was revealed that a supposedly-secure-by-design device, GE new flagship D20MX, is having problems.
There are so many reasons to have field devices that are secure-by-design. Sometimes people simply do not firewall their devices and leave them exposed to the internet. While I view this as a terrible mistake, it is precisely because of this that "defense in depth" must include endpoint security where industrial control systems are concerned. Firewalls fail for many reasons, including technical foulups and human error. We shouldn't be depending on firewalls to deliver our sole ICS security posture.
In the IT world, folks figured this out a while back. OS hardening is the norm for Microsoft, GNU/Linux, and even OS X systems. Security is built into these hosts -- hosts which are not responsible for running our power grids, delivering our water, or mining our copper -- so why can't we have such features built into field devices? In the grand scheme of things, the cost is negligible...