Jake Brodsky wrote a response to this article on his blog. It contains such a high density of valuable addition to what I wrote that I would like to reference it here.
You find the link to Jake’s full post at the bottom. Here, I’m only summarizing what in my humble opinion are the key aspects:
The Purdue Model is not what we’re looking for
First, Jake summarizes why the Purdue Model, why worthwhile, is not the system model we’re looking for:
“The Purdue Model was not designed to be a security architecture. It was a model designed to preserve real-time performance at various parts of a process. […] Anyone trying to sell the the Purdue Model as something more than real time performance is making stuff up.“
Security Engineering means considering unlikely permutations of process states
Second, he points out why it is so hard to systematically model “what could go wrong”:
“Engineers learn from their mistakes and the mistakes of others. However, an attacker is usually quite creative at lining up unlikely permutations of events that will destroy the infrastructure and possibly kill people. The assumptions that most engineers make when designing controls are typically from random failure modes, not a malicious attack. […] What would happen if you crossed over the double yellow line on a highway? Go back to the side where you belong. […] However, an attacker doesn’t think that way. The attacker wants you to be on the wrong side of the highway.”
“True functional zones”
Third, he offers ideas on focusing on functions and identifying most dangerous permutations for process states:
“Historically, most PLC I/O has been designed based upon ease of getting the I/O in to a local marshaling cabinet. Considerations regarding I/O function were secondary. We need security expertise with the engineering expertise to develop true zones of functionality. […] Once the most dangerous permutations have been identified and reviewed, we can then draw an outline in the P&I diagrams to identify the zones and the conduits of security.”
Further reading
Here’s the link to Jake Brodsky’s full blog post: http://scadamag.infracritical.com/index.php/2020/04/12/diagramming-ics-security/
