Plug in a Siemens PLC (underlining Linux), let’s say it’s not running Windows, the install then needs to run for at least 15 years so we won’t be modernizing anything in the PLC behind it.
I’m OK with that, as long as the installation is fully air-gapped, but who builds multiple air-gapped installations? Nobody. And what is the answer then, put a firewall and everything is solved. If you don’t want to do security, why bother with a firewall?
The reason you install a firewall is because you know the Siemens PLC is now simply connected to the network. And are the operator clients with SCADA connected to that network, in this case WinCC and what operating system do they run on? That’s right, Windows machines. On those Windows machines you will run into some VPN/RDP/Teamviewer because the vendor finds it very useful to remotely monitor and schedule that technical installation. Then you also need to get data from that technical installation for analysis and monitoring, whether you do it via OPC, OPC UA, MQTT or something else, all connections with the outside world (IT/IoT).
Then we have not yet talked about how the Siemens PLC communicates with its I/O, Profinet, Modbus, IsoOnTCP, CAT, and so on. But have you had a good look at how they connect nowadays? All IPv4 with an RJ45 connector. If all this is in the air as before, it’s not immediately a problem, but we want integration, smart grids, connected factories, in short, industry 4.0. I literally saw the neighbor (factory) drill a hole in the wall, put a network cable through which the modbus has to go because yes it had to have real time information from our control system, the question was if I wanted to plug it in.
And what about security? If you’re in that world, how many companies do you know that update the firmware of a dedicated PLC? Or install those updates on their operator/SCADA clients?
None, it’s behind a firewall and that’s all you need to do. Until you come put a packaged unit with me in the company falling into Seveso the NIS 2 legislation is behind us the insurance start doing audits and I can assure you they all agree with the firewall story . So 40 different vendors who have installed those little pieces of separate technical installations in the past were formally contacted with the question, how are you going to ensure the safety of that installation. 2! of the 40 who answered, the other 38 pretended to have a bloody nose. Insurance makes it easy, either the provider will put in place a decent security policy or you will blacklist it, if you don’t want to do that we will take the insurance and no insurance no company.
You can say yes, but you’re Seveso, a normal factory won’t be affected, so I’d re-read NIS 2. It’s rather that people go after the most critical companies first, but once they’re done there, then the rest also depends.
The above is written assuming we are talking about normal control, if you start talking about safety PLCs then either they are really air-gapped or you have a (virtually) air-tight safety policy which includes a safety analysis both before and during, if after a Hazop (which I haven’t seen anywhere yet, maybe ok in the nuclear sector?) or your safety no longer meets the ISO standard.