Jason Holcomb over at the Digital Bond blog posted something that attracted my attention. He popped up an innocuous entry titled "Virtualization in the SCADA World: Part 1" which intrigued me for reasons that should be obvious to anyone who reads my steaming pile of blogginess with any sort of regularity.
It would be easy to knee-jerk and simply roll my eyes suggesting that adding virtualization to the "security by obscurity" approach we've seen being argued recently is just inviting disaster (literally,) but I'm trying to be rational about this. I want to understand the other camp's position and learn from it, hopefully contributing to break down a wall or two...
Jason sets it up:
A few years back, the traditional IT world was debating the merits of virtualization. There were concerns about performance, security, vendor support, and a host of other issues. Fast-forward to today, however, and you’ll find virtual machines in use in nearly every data center.
I think it's fair to say that while most folks would be hard pressed to dispute the merits of virtualization, the concerns regarding "...performance, security, vendor support, and a host of other issues" are hardly resolved. In fact, they are escalating.
So what are the implications of this in the SCADA world? I think it’s just a matter of time before we see more widespread acceptance of VMware and other virtualization platforms in production control systems. The benefit here may be less about cost savings, though, and more about increased functionality. The ability to snapshot and clone machines for backup and testing, for example, is very attractive.
I think the paragraph above is extremely telling because it's really focused on debating the value proposition which is really a foregone conclusion for all the reasons Jason mentions. The real meat will hopefully be discussed in the follow-on's:
We’re going to examine this subject over a series of blog posts. Hopefully we’ll cover all the major topics – security, reliability, performance, serial communication issues, vendor support, and adoption rate, to name a few.
I look forward to your comments and opinions.
In my first comment to Jason's posting, I alluded to a whole host of virtualization-related issues which are grounded in practice and not hype and asked that since SCADA security is billed as being SO much different than "IT security" what this intersection will bring and how one might assess risk (and against what.)
Further, given various C&A standards, I'm interested in how one might approach (depending upon industry) holding these systems up to a C&A process once virtualization is added to the mix.
It will be an interesting discussion, methinks.