Howdy folks!  Just wrapping up here at ISA Automation week and I have to say I am pretty impressed at some of the things that NIST is doing, that ISA is doing, and the security culture in general.  However, I have to say that I am equally appalled at some less-than-responsible “security” vendors.  I have heard no less than three times this week that if we were to purchase company “X” offering that we would have avoided Stuxnet issues!  Really?  Now I am not going to turn this venue into a technical dissection of the Stuxnet threat vs various security products, but what I do want to point out is the danger inherent in this statement for three reasons.

1) Use of FUD or hype to sell product or services.  To state that the world is big, bad and scary and that only your product can save us is pretty base in my honest opinion.  Now there is a certain latitude for truth in the technical comparison of how a particular threat can spread and how your solution can prevent it, but that was not the tone of this particular presentation.  It was not about technical facts—it was about selling through fear.

2) There is no silver bullet in security.  I don’t care what system you buy or what program you put in place, there is always going to be a way around or a possible/plausible threat.  Your product may block what we see today, but what is on the horizon?  This particular vulnerability exploited no less than four zero-day exploits!  This means they exploited threat vectors that were not even known yet!  To try to sell a security guarantee is dangerous.  A proper expectation would be to provide a program or tools that minimize your exposure and maximize your ability to contain and recover from an event when it happens—and it will!

3) Mind the target you just put on your product.  The absolute worst possible thing that could happen to any of these organizations that make claims like this is for their product to fail. Ever.  Realize that you have now set the bar for your product/service at such a level that if/when your product does NOT protect your clients, your word is now worthless.

Maybe I am little too hyped up in the hot Houston sun but that’s how I see it.  Time to saddle up and head home.  Until then, happy trails.

Update: Howdy, Control Global readers!

Update II: And a big ‘ol welcome to readers from Tofino Security, as well!