Companies that buy SCADA and other types of control gear for energy production centers will begin to ask for more robust defenses against online threats, said Alan Paller, director of research for the SANS Institute. Vendors, which generally have a friendly relationship with their customers, will agree to provide more secure systems, he added.
"For one, any attack against [control systems] will be just as bad for the vendor as for the customer," he said. "And [the vendors] know there is money to be made in all of this."
Paller cited BP as having updated their manufacturing centers and power plants in response to changing online threats. But much of the rest of the industry has operated in fear of knocking their systems offline if they patch networks.
"This is a whole industry operating under the perception that no one can touch their systems or they'll crash," he said.
Paul Dorey, vice president of digital security and CISO for BP, said vendors have awakened to the importance of online security.
"In early 2002, when we started discussing security architectures, accreditation and secure maintenance with process control vendors, we were met with a lot of blank silences. Progress has been significant. From a world where vendors told us that malware protection like antivirus or system patching were just not possible, we see most process control systems providers stepping up to the issue and treating security as a fundamental integrity concern. Several vendors are now even beating IT office system patching timetables as they know the implications in a process control world."
Dorey added that accreditation for corporations that stay ahead of the security curve is in the near future.
"The industry is now stepping toward positive accreditation where systems are tested with known testing technology," he said. "Systems that fail are required to remediate weaknesses as a contractual requirement."
Ernest Rakaczky, director of process control network security at Invensys Process Systems, said he believes vendors and buyers will work together for more secure infrastructure.
"We are controlling a major plant. That becomes a lifetime arrangement," he said. "Because of that, you have an integral part of the day-to-day business operations."