What do you think?
Rate this book
SCADA Security: What's Broken and How To Fix It
Modern attacks routinely breach SCADA networks that are defended to IT standards. This is unacceptable. Defense in depth has failed us. In "SCADA Security" Ginter describes this failure and describes an alternative. Strong SCADA security is possible, practical, and cheaper than failed, IT-centric, defense-in-depth. While nothing can be completely secure, we decide how high to set the bar for our attackers. For important SCADA systems, effective attacks should always be ruinously expensive and difficult. We can and should defend our SCADA systems so thoroughly that even our most resourceful enemies tear their hair out and curse the names of our SCADA systems' designers.
181 pages, Kindle Edition
Published September 25, 2016
13 people are currently reading
35 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 3 of 3 reviews
December 14, 2018
On the one hand, this is a not-so-thinly veiled, 180-page advertisement for unidirectional gateways (which I received from a Waterfall booth an a conference; Gitner is a VP for the company). To be fair, the book is completely brand agnostic - it's not a cutsheet for their products.
On the other hand, there is a LOT of great content in here, written in an easy-to-read and understand tone. Anyone who works around interface points between IT and OT (operational technology) environments needs to be aware of security and design considerations and exactly what types of risks can be mitigated by IT-style defence-in-depth solutions (firewalls, antivirus, logging, threat detection, logical separations) and OT-style defence (physical perimeters, physical separations, isolation, and redundancy).
For those who are curious, the difference between firewall and unidirectional gateway: a firewall can be a physical device, but it is ultimately a software solution to routing packets based on rules, and we know all software can be hacked. And you don't want your industrial control systems hacked. A unidirectional gateway is usually a fiberoptic solution that physically restricts data transmission to one direction; there is a diode to send, and a photodiode to receive. One-way transmission = ultimate security.
There is added cost and complexity and design considerations to implement unidirectional gateways, and Gitner provides ammunition to refute arguments (by managers, VPs and budget-owners) against implementing the "right" solution - because as electrical/controls/automation engineers, we don't always have a developed security vocabulary to articulate those risks. This is also a great resource for IT to understand the OT world.
4 stars for technical content, but the book took 4 months to finish because I just wasn't that excited to keep picking it up... 3 stars. That said, I'd easily recommend it to people in relevant fields.
On the other hand, there is a LOT of great content in here, written in an easy-to-read and understand tone. Anyone who works around interface points between IT and OT (operational technology) environments needs to be aware of security and design considerations and exactly what types of risks can be mitigated by IT-style defence-in-depth solutions (firewalls, antivirus, logging, threat detection, logical separations) and OT-style defence (physical perimeters, physical separations, isolation, and redundancy).
For those who are curious, the difference between firewall and unidirectional gateway: a firewall can be a physical device, but it is ultimately a software solution to routing packets based on rules, and we know all software can be hacked. And you don't want your industrial control systems hacked. A unidirectional gateway is usually a fiberoptic solution that physically restricts data transmission to one direction; there is a diode to send, and a photodiode to receive. One-way transmission = ultimate security.
There is added cost and complexity and design considerations to implement unidirectional gateways, and Gitner provides ammunition to refute arguments (by managers, VPs and budget-owners) against implementing the "right" solution - because as electrical/controls/automation engineers, we don't always have a developed security vocabulary to articulate those risks. This is also a great resource for IT to understand the OT world.
4 stars for technical content, but the book took 4 months to finish because I just wasn't that excited to keep picking it up... 3 stars. That said, I'd easily recommend it to people in relevant fields.
September 24, 2017
I would highly recommend this book to traditional information security professionals as the author goes far beyond the SANS 410 Security Essentials "flip the CIA triad upside down and you understand it".
If you work in a well-funded environment you may want to take some of the lessons learned from ICS/SCADA Security community and apply these internally.
If you work in a well-funded environment you may want to take some of the lessons learned from ICS/SCADA Security community and apply these internally.
December 5, 2022
If you work with ICS and/or SCADA systems this is a must.
Displaying 1 - 3 of 3 reviews