Crossposted from Infosec Island
[Note: “SCADA” and “ICS” are essentially interchangeable terms for “Critical Infrastructure”. ICS is “Industrial Control Systems” and it doesn’t really matter what SCADA means for our purposes here.]
The root problem with SCADA security is that control systems have been built on the concept that devices can be trusted.
Since everything else about SCADA is based on the concept that devices can never be trusted (“Sure, the temperature in the boiler should stay at such-and-such, but I would like to monitor the hell out of it, anyway.”), once you get your head around the idea that you cannot trust your cyber devices either you find that it fits with existing industrial ideology quite well.
The solution to industrial cyber security is to do your best to build a reliable cyber system – just as you do with the physical assets in the industrial process – then monitor it like a convicted criminal in solitary confinement.