January is the Cruellest Month

January is a month I dread. It’s not the cold, the rain and the grey skies here on the west coast of Canada (although that is bad enough). And it is not the post-Christmas avalanche of credit card bills (also bad). The nightmare for me is the annual “SCADA Security Predictions for the Next Year” article that I have to write in the first week of January.

Every January I get asked to make between three and five predictions for the upcoming year. Then every December people remind me that I made those predications 12 months ago. Then they get to tell me how poorly I did. In between January and December I get to worry.

Take my predictions for 2012. I thought I had done well, getting two out of three predictions right with one still undecided. Then Sean McBride informed me that I had counted wrong. I had announced that there were 569 new SCADA/ICS vulnerabilities in 2012. Unfortunately (for me), this is cumulative total since 2001. Only 248 new vulnerabilities were announced in 2012. Since I predicted there would be 500 new vulnerabilities in 2012, I was way off base and only scored 0.333 for my 2012 predictions. Not so good.

I Predict… That Not Much Will Change in 2013???

Part of the problem is that the industrial automation world moves glacially slow compared to sectors like home computing or communications, making predictions of any signification change a challenge. As Dale Peterson of Digital Bond has pointed out, too little has changed in the past decade when it comes to SCADA security. He is right, but it is not just security that moves slowly in this industry. Things that take years in other sectors take decades for industrial systems.

Take industrial wireless -- back at the turn of the century, it was promoted as the technology that would soon dominate the plant floor.

Over ten years later, Frost & Sullivan Research Analyst Anna Mazurek writes, “The market needs another 4-5 years of pilot applications and technology trials to address all pending concerns...” Industrial wireless will come, but the time scale is much longer than a year or two.

Of course, I could take the easy way out and predict what will not happen in 2013. For example, the confusion over which NERC-CIP version companies should be complying with will not get sorted out in 2013. A cyber security bill will not get passed by the US senate in 2013. And most PLC and SCADA vendors will continue to ship insecure controllers using insecure protocols in 2013.

But that is cheating, so once again I stick my neck out and make a few real predictions of events and trends in the SCADA and ICS world.