Veracode's Wysopal says patching isn't the answer for most SCADA systems. "The systems are not designed to be updated and patched at the pace that security updates would require," he says. "I think there has to be the mentality of compartmentalizing these systems such that you use network security to keep from reaching those systems ... That means essentially having an air-gapped network because you can't even have clients on the inside."
Until those systems are designed so they can be safely and easily updated, compartmentalization is a good option, he says.
Meantime, the worry is that it will take a big wake-up call to force any palpable change to securing the systems that run critical infrastructure and other processes.
"Many people tell me this will not be fixed until some power plant, pipeline, chemical plant, or something else has a major disaster caused by a cyberattack -- one that causes a huge financial impact to the economy, loss of life, etc. Then everyone will spring into action and say these insecure-by-design systems need to be replaced in 'X' years," Peterson says. "I'm hoping they are wrong, and we can begin this prior to the disaster."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.