Summary
That concludes the discussion on ICS device security. From experience, I can say that the decisions made at this level are mostly influenced by uptime and expected performance of the ICS. Having discussions around security early on in the decision process will help get a foot in the door. Implementing security as an afterthought is harder to accomplish here than anywhere else in the defense-in-depth model. For example, swapping out a PLC simply because it doesn't support signed firmware verification is a tough sale once the device is in production.
In the next chapter, we will combine many of the topics learned throughout the book as we discuss the ICS security program development process.