It is neither the hard rock group nor the mark of affection between people but rather the acronym KISS that was reportedly coined by Kelly Johnson, the lead engineer at Lockheed Skunk Works, who transcribed it as “Keep It Simple Stupid”.
In the world of security, I often run across the term whitelisting. Often together with blacklisting. They define opposite behavior. With Blacklisting everything is allowed until it is explicitly denied. For Whitelisting everything is denied unless explicitly allowed.
But why is this important when it comes to security and critical infrastructure? And why is it different from regular IT?
In general, IT carries the burden of not knowing what traffic might come. You never know what site a user might request or what receiver they want to email. Therefore you can not only rely on whitelisting because it would be too much of a hindrance to the normal flow of work.
With critical infrastructure, the opposite is often the case. The protocols are well-defined, you know what packets will be sent and you know, or you should at least know, about the devices in use. An easy example could be that there is no reason to allow Modbus “write” packets when you are just observing a site, meaning you should whitelist only “read” packets. Enabling observation but not change.
Even though this still requires work you can follow the principle “Keep It Simple Stupid” and deploy whitelisting making your system more secure.
I know that this description is simplified but the point I want to make is that I often see a trend in critical infrastructure to go and chase the latest and greatest security solution from IT, spending too much money doing it, when the simple solution might do the trick.
Intersection Security 
Leave a comment