But the time has come to upgrade or replace these aging systems. There are now compelling reasons to connect these systems to corporate networks and the Internet. As those connections are made, the isolation – or ‘air gaps’ – that protected these systems disappears. The long-standing strategy of ‘security through obscurity’ no longer holds up. In addition, corporate and operations staffs have other realities and requirements to consider, including:

• Shifting from proprietary to open, standards-based solutions can lower costs, increase operational flexibility and avoid vendor lock-in
• Generating real-time business intelligence from operational data can enhance service delivery
• Improving the effectiveness of automation systems drives new efficiencies into the industrial processes they control, yielding better performance and results
• Ensuring that the operational health and safety levels of the systems and processes are continually maintained.

Another major change that ICS and SCADA system professionals must manage is the explosive growth in the number of intelligent endpoints in industrial environments. In rapidly growing industry segments such as the Smart Grid, the numbers and types of networked and IP-enabled devices is increasing exponentially. This array of issues, including economic, operational and technological drivers, is forcing automations systems professionals to grapple with much more change at a much faster pace than ever before.

The following are five of the major hurdles that critical infrastructure and industrial process companies often face as they move forward with initiatives to modernize their control environments.

1. Lack of “Last Mile” Coverage and Instrumentation for Device Visibility – ICS systems are increasingly leveraging wireless and Internet connectivity to expand the system’s reach and effectiveness. Gaining faster access to more granular and real-time data from far-flung end points can produce substantial operational benefits. From a security perspective, however, such expansion introduces new risks.

One of the primary security issues that arise in these implementation scenarios stems from the fact that embedded devices often lack local or remote logging capabilities. As a result, they cannot adequately log relevant security and compliance data. Additionally, interactive remote access can be cumbersome, hard to achieve or only available in an insecure manner.


To address the lack of visibility largely inherent in these devices, organizations should place network sensors logically near the devices to detect events which would normally be present in event logs. Network Intrusion Detection Systems and network flow tools are two such examples. Additionally, organizations should consider protocol-aware gateways or firewalls to restrict access and add a layer of security, since many industrial protocols lack authentication and security features.

2. Not So Automatic “Automation” – Whether or not they have the Critical Infrastructure designation, ICS operators of all kinds face growing internal and external (regulatory) requirements to produce ever-increasing amounts of operational data. It is a growing operational and administrative burden, and automation systems operators must find an efficient and secure way to deal with it. Since old habits – and cautions – die hard, many asset owners are averse to fully automating their data collection processes.

This reluctance to fully automate data collection often leads operators to conduct partial automation efforts. Examples include scripts being run manually on each individual host, or scripts that can run remotely but have to be initiated manually. These half-measures are not thorough and are often incomplete.