At the S4x25 event, Dale Peterson sat down with Paul Griswold, former chief product officer at Honeywell, for an engaging fireside chat that delved into the state of industrial control systems (ICS) security. The conversation provided candid insights into the progress made, ongoing challenges, and future directions for vendors, integrators, and asset owners within the ICS landscape.
Opening thoughts: Reflecting on industry progress
Peterson opened the discussion by highlighting Griswold’s recent transition from Honeywell, noting the value of candid insights that often come after leaving corporate roles. The duo set the tone for an honest evaluation of ICS security, steering clear of vendor praise or criticism and focusing instead on systemic trends.
Vendor landscape: Progress and persistent challenges
Griswold reflected on the strides made by ICS vendors in recent years, particularly in adopting secure-by-design principles. He noted improvements in:
- Product Security: Vendors are increasingly embedding security features from the outset, rather than as afterthoughts.
- Vulnerability Management: Enhanced processes for identifying and addressing vulnerabilities.
- Customer Relationships: Close ties with long-term clients have driven vendors to prioritize security based on real-world demands.
However, Peterson pointed out a lingering gap: while secure deployment guides are now standard, many asset owners and integrators still default to legacy configurations, ignoring these best practices. Griswold acknowledged that while initial deployments often follow secure guidelines, configurations are frequently rolled back for convenience or operational familiarity.
Adoption gap: Why security features go underutilized
The conversation shifted to the slow adoption of advanced security features like embedded firewalls, secure communications, and encrypted protocols. Griswold observed that while vendors are offering these capabilities, uptake remains inconsistent, often driven more by specific customer demands than proactive vendor initiatives.
Peterson added that even with protocols like SIP security and secure Modbus available, adoption rates are low—sometimes under 10% for new deployments. Griswold agreed, noting that cost sensitivities and operational disruptions often deter asset owners from fully leveraging available security features.
Budget realities: How much are asset owners willing to spend?
Discussing the financial side, Peterson questioned the willingness of asset owners to allocate additional budget for cybersecurity. Griswold estimated that security spending typically ranges from 10-15% of total project costs, though this varies widely based on organizational priorities and funding structures.
- New Deployments: Security often bundled into project costs.
- Legacy Systems: Additional security seen as an optional add-on, with limited budgets allocated unless driven by compliance or incident response.
Griswold emphasized the importance of integrating security costs into the core project budget rather than treating them as optional extras, particularly as regulatory pressures increase.
Role of certifications and regulations
Peterson and Griswold discussed the growing influence of regulatory frameworks like the Cyber Resilience Act (CRA) in Europe and standards such as IEC 62443. Griswold noted that while certification demands are rising, many vendors still view them as check-the-box exercises rather than opportunities for genuine security improvement.
Key points included:
- Vendor Resistance: Some ICS vendors resist deep security integration, viewing it as outside their core business.
- Certification Fatigue: Navigating overlapping global standards can overwhelm vendors, leading to minimal compliance efforts rather than robust security practices.
Legacy systems: An ongoing security challenge
Peterson highlighted the enduring challenge of securing legacy ICS systems, referencing Siemens’ announcement to support certain products through 2040. Griswold acknowledged that while legacy support is customer-driven, it complicates security efforts:
- Retrofit Solutions: Vendors are exploring overlay technologies to enhance security without requiring complete system overhauls.
- Customer Reluctance: Asset owners often resist upgrades unless driven by system failures or regulatory mandates.
Griswold suggested that vendors will increasingly face pressure to provide security enhancements for older systems, particularly as regulatory expectations evolve.
Integrators: Forgotten link in security chain
The discussion turned to system integrators, who often play a critical role in ICS deployments. Peterson observed that integrators sometimes revert to outdated practices, undermining vendor security recommendations. Griswold agreed, noting:
- Integrator Influence: Integrators can act as key enablers or barriers to security, depending on their expertise and alignment with vendor guidelines.
- Lack of Security Expertise: Many integrators lack dedicated cybersecurity training, focusing instead on operational efficiency and cost control.
Both agreed that better integration of cybersecurity training into integrator workflows is essential for closing this gap.
Future outlook: Where ICS security needs to go
In closing, Peterson asked Griswold to reflect on unmet expectations in ICS security over the past three years. Griswold identified several areas for improvement:
- Deeper Security Integration: Moving beyond add-on security features to embed cybersecurity within core ICS architectures.
- Regulatory Alignment: Streamlining compliance processes to reduce complexity and encourage genuine security improvements.
- Customer-Driven Security: Encouraging asset owners to demand stronger security postures, pushing vendors and integrators to prioritize cybersecurity.
Peterson emphasized the importance of industry collaboration, urging stakeholders to share best practices and lessons learned to accelerate progress.
Key takeaways
- Security by Design: Vendors have made progress, but adoption remains inconsistent.
- Budget Realities: Asset owners are often hesitant to invest significantly in security without regulatory or incident-driven pressure.
- Legacy Challenges: Older systems will continue to pose risks, requiring creative retrofit solutions.
- Integrator Role: A critical but often overlooked factor in effective ICS security.
Final thoughts
The fireside chat provided a frank, insightful exploration of the current state of ICS security. Peterson and Griswold highlighted both progress and persistent challenges, offering a roadmap for where the industry needs to focus next: integrating security seamlessly into systems, budgets, and mindsets.
