Trisis, Stuxnet, Xenotime, Sunburst, Petya and NotPetya.
At times it seems like cybersecurity is from another planet or out of a science-fiction movie. In the world of industrial-control systems, we are used to names like 800xa, Mark VI, Ovation, and Control Logix. It almost seems like a different language.
This “quasi-scientific” cyber-naming is just one of many reasons why process control or OT personnel and leadership tune out and ignore the real threats that exist. The need for “threat intel and hunting,” “prioritizing CVE’s,” IDS/IPS/HIDS/NIDS/DPI, and a whole suite of other foreign acronyms and terms further the dissonance.
We have heard many throw up their hands saying that there is no way they will understand all this “cyber stuff.” It sounds really complicated and time-consuming.
Then IT arrives to explain that the OT team needs to provide monthly or more frequent updates on their systems’ patch and configuration status, ensure users change passwords every 30 days, ensure AV signatures are updated every week or month on each of the various OEM systems in the environment, test and confirm backups are up to date, monitor all software on the system and ensure no new software or user accounts are added…and if vendors need to access the system, monitor their every move and shut down access immediately afterward. And that list continues to grow.
The sum of the language barriers, along with a seemingly endless list of maintenance, monitoring and reporting tasks, often leads OT leaders to denial or pushing back—not because they don’t see it as important, but because the operational costs seem overwhelming and they can’t see a way to get it all done.
In a way, the cybersecurity community is its own worst enemy.
So how can we make cybersecurity practical, understandable, and efficient in the OT environment? How do we bridge these worlds?
The answer is to adopt a vendor-agnostic OT systems-management methodology. The key to effective protection of industrial systems is through the consistent application of core security functions—asset identification, vulnerability and patch management, user and access management, backup and recovery, etc. While learning all of the fancy names of attack groups is exciting and important, for those focused on advanced threat hunting, the core of security begins with applying many fundamental systems-management capabilities used in IT for years.
There are four key steps required to make this a reality for OT:
- Two-way education. There is a lot of talk about IT-OT convergence and that teams need to integrate or work together. This is all true. But it starts with education and awareness. IT needs to clarify the “what” and “why” of security in simple terms. OT needs to clarify the practical differences in operating OT. Together, then, the joint team can come to aligned objectives and compensating controls that achieve the overall cybersecurity objectives.
- Vendor-agnostic OT systems-management automation. The single biggest barrier to OT security, according to the 2020 (CS)²AI – KPMG Control System Cyber Security Annual Report, is a lack of resources and talent (see the below chart). Over the next 2-4 years, industrial organizations will be required to deliver on the core systems-management and reporting functions, based on the needs of what we call RAID: Regulators, Insurers, Attackers and Data. Without vendor-agnostic automation of these core functions (patching, configuration, vulnerability, user and access management, etc.), the labor burdens will just be too great to succeed. It would be as if the IT teams were going to manually manage their Dell PCs and servers differently from their HP or other brands. The cost and complexity are just too much to rely on individual OEM vendors for these tasks.
- Risk reduction prioritization. The first realization that emerges from industrial controls’ cyber-assessments is, “Oh my goodness, that is a huge number of critical vulnerabilities.” This is not surprising given these systems have not been managed for security in the past. Successful risk management will depend on prioritizing all of these risks and narrowing down things that can be accomplished in order to separate signal from noise. And the key to that is having a comprehensive risk view of each asset. This 360-degree risk score allows the team to focus on the most critical risks and prioritize which remediation actions or controls will have the greatest impact given the challenges of sensitive OT systems.
- Think global, act local. To gain the scale necessary to succeed in OT security, organizations need to bring site-level data on every asset and flow into a centralized analysis and reporting platform. This allows for scaled vulnerability and risk analysis as well as remediation planning. But OT requires deep insight before actions are taken. The solutions need to allow for “local action,” or the ability for controls experts close to the process to determine time, place and sequence of remediation actions to protect the critical running operations.
Industrial-controls security is an increasing challenge, fraught with rising cyber-threats and compliance requirements. However, creating a foundation that supports practical, operationally efficient tactics can enable IT and OT to come together to successfully secure these critical systems.
John Livingston is CEO of Verve Industrial