Cyberattacks against critical infrastructure in the last year reignited long held concerns about the risks posed by industrial control systems. And though most incidents that grabbed headlines targeted IT systems, not the operational technology used to manage industrial operations, one reality stands clear: owners and operators of these organizations often have little visibility into the full scope of devices accessing their networks.
Indeed, while the Oldsmar, Florida hack of a water treatment facility shined a light on risks associated with remote access to industrial control systems, most other critical infrastructure attacks involve IT system vulnerabilities that could exist in any sector. Colonial Pipeline, for example, was what Sergio Caltagirone, vice president of threat intel at industrial security company Dragos called “an OT outage, caused by an IT activity.”
What can be said for most incidents that occur within the industrial sector though – whether it be manufacturing or energy or agriculture to name only a few – is that owners and operators underestimated the OT/IT interdependencies, and did not know what precisely resided in their environments.
“I can't think of an enterprise I know that has a really good handle on their OT infrastructure,” said Ben Carr, chief information security officer at Qualys. “For so long, it's been a walled garden.”
A culture of walled gardens
Challenges associated with asset management in industrial sectors tie directly to the fact that OT for so long existed in silos – isolated from IT, and often managed by an entirely different team. Aspects of that have changed in the last decade, with those devices increasingly connected to the network. But management often remains distinct.
“Between enterprise IT and OT, they have some visibility now, but it's actually caused a false sense of security,” said Ron Fabela, chief technology officer for SynSaber, an Arizona startup that developed an industrial asset and network monitoring solution relying on sensors to map device location and performance. “They're not seeing any of the east to west traffic at all. We’re starting to get detection, but really at the choke points only.”
Fabela points to two reasons why these organizations lack full visibility: scale and inclination. Many solutions built for the enterprise can't be deployed to thousands of substations across an area, either because of technology shortcomings or because of costs, and often the intelligence garnered from enterprise solutions serve the wants of a board or executive team – not necessarily the industrial community.
“Each one of these environments is different. Even in the same organization, it can be so different from one generation plant to another. They're snowflakes,” said SynSaber CEO Jori VanAntwerp. “When you have an outright attack, the intelligence may only be applicable to one facility in the world, maybe two. That’s a pivot from the way that we use intelligence in information technology.”
The two SynSaber founders are quick to point out that when you talk to the plant operations teams, universally, they know exactly where every controller is, they know what it's doing, and they know how it's communicating. The gap they say exists in the fact that nobody can get that “tribal knowledge” codified into a security solution. And the mentality of the OT side, said Fabela, is often this: "If the plant's been running for 30 years fine, why change it?"
Breaking down the silos
Segmentation – of both technology and the teams themselves – is indeed a hallmark across OT environments, and in some aspects is still a viable practice. But segmentation isn't going to work in every environment, particularly as more of these organizations recognize potential business value in connectivity to the OT tied to production efficiency, and better visibility into supply chains.
Suddenly the IT teams recognize that “you can't protect it if you don't know that it's there,” said Rick Driggers, former assistant director of integrated operations at the Cybersecurity and Infrastructure Security Agency and current critical infrastructure cyber lead at Accenture Federal Services. Now, “you have to know and understand what OT assets you have in your environment. You have to understand how they are configured and ensure that the configuration is to correct specifications. And you have to have those consistent policies and plans to be able to understand what your OT environment looks like at any given time.”
Step one in that series of best practices – doing comprehensive inventory – may be easier than in an IT environment, because industrial assets don't change that often. That can create challenges tied to legacy hardware, but as Carr of Qualys noted, it also allows for passive ways to detect and gather information without “having to sit necessarily on the OT devices themselves.”
But the configuration requirements can be more challenging. Organizations need to understand and define what critical functionality they are controlling, what they are monitoring, what type of critical data they are accessing. That will help a resource constrained environment to allocate scarce security resources to protect what is most critical inside of the environment, Driggers noted, whether it's a process or whether it's a function or whether it's data. But it also introduces the need for solid change management processes and the long absent collaboration with IT teams.
“They have to have other security protocols in place, which is why the IT side of the house needs some visibility into the OT environment, to have those facility managers, the civil engineers, working with those responsible for IT security across the organization,” Driggers said.
And when that happens, different types of data are introduced into the security operation center, which transforms incident response plans and associated triage criteria. Ultimately, industrial sectors need to build capabilities and services to bring these two environments and the teams together, and drive what Driggers described as a paradigm shift in the application of security and the security culture of organizations.
“But the OT/ICS side of the house is probably 10 years behind information technology,” he added. “We have a long way to go.”