The trend seems to be growing for both attacks and investments in the SCADA security field, according to Donato Ferrante. "In fact if we think that several big companies in the SCADA market are investing a lot of money on hardening these infrastructures, it means that the SCADA/ICS topic is and will remain a hot topic for the upcoming years," Ferrante said via email.
However, securing SCADA systems is not as straightforward as securing regular IT infrastructures and computer systems. Even when security patches for SCADA products are released by vendors, the owners of vulnerable systems might take a very long time to deploy them.
There are very few automated patch deployment solutions for SCADA systems, Luigi Auriemma said via email. Most of the time, SCADA administrators need to manually apply the appropriate patches, he said.
"The situation is critically bad," Kamluk said. The main goal of SCADA systems is continuous operation, which doesn't normally allow for hot patching or updating -- installing patches or updates without restarting the system or the program -- he said.
In addition, SCADA security patches need to be thoroughly tested before being deployed in production environments because any unexpected behavior could have a significant impact on operations.
"Even in those cases where a patch for a vulnerability exists, we will find vulnerable systems for a long time," Santamarta said.
Most SCADA security experts would like for industrial control devices like PLCs to be re-engineered with security in mind.
"What is needed is PLCs with basic security measures and a plan to deploy these in the most critical infrastructure over the next one to three years," Peterson said.
"The ideal scenario is where industrial devices are secure by design, but we have to be realistic, that will take time," Santamarta said. "The industrial sector is a world apart. We should not strictly look at it through our IT perspective. That said, everybody realizes that something has to be done, including the industrial vendors."
In the absence of secure-by-design devices, ICS owners should take a defense-in-depth approach to securing these systems, Santamarta said. "Considering that there are industrial protocols out there that are insecure by default, it makes sense to add mitigations and different layers of protection."
"Disconnect ICS from the internet, put it in an isolated network segment and strictly limit/audit access to it," Kamluk said.