Back in the dark ages, before IOT, cloud, daily data breaches, and worldwide ransomware alerts (you know, before 2005), the utility industry started to become enamored with the idea of a smart grid and began merging the IT and OT networks – that’s one version of Internet of Things (IOT). Unfortunately, IOT these days most often means ‘Internet of Threats’.
And that brings us to IOT security, because there’s common challenges across $15 webcams and $1.5M transformers and pumps. In this post, I’ll address the industrial scale challenges, and pick up the consumer ones in another post.
In the past, the operational network (OT environment) usually ran SCADA over serial lines, and those networks weren’t directly accessible from the TCP/IP (IT) networks that ran the information systems. To be sure, there was little security in the SCADA environment – in many cases you could plug directly into a remote terminal and have access to equipment, but you had to actually go on-site (or to a central control point) to do anything. With the advent of SCADA over IP, those networks and that equipment is now largely routable from the Internet.
These devices were engineered with safety in mind, not security. Some have direct code running on the device itself, and others are controlled by a workstation – but neither have good update mechanisms available. Plus, many vendors never provided updated control software for the workstations, nor will allow security tools to be installed on them, so we have a lot of XP still hanging out in the world running multi-million dollar equipment. At the time, perimeter control security architectures were all the rage (to be fair, that’s about all we had), so the IT and OT networks were segmented and firewalled off from each other. That worked for a while…or so we thought.
Unfortunately the bad guys have gotten a lot better. While moats and castles are great, they’ve gotten very good at sneaking in over, around, under or through a door someone put in the wall. Sometimes there’s a PC with a modem running PCAnywhere (I kid you not – saw that last year) that they get through, and sometimes it’s sideways movement through the network. In either case, they’re already inside. On the IT side, it’s bad. On the OT side, it can be catastrophic and life threatening, as we’ve seen recently with the attacks on the Ukrainian utilities. So, the response was to stand up a separate OT security infrastructure – everything from SIEM to endpoint (where vendors allow), and all the other tools. The challenge is that by segregating the IT and OT security infrastructures, you lose the ability to track movement across the organization. This challenge is growing as the IT and OT environments are continuing to merge into a single infrastructure, not to mention the risk of OT penetration as a result.
So, what to do? First, for companies with a large OT network – utility, oil & gas, petrochemical, and so forth, leverage your strengths. Instead of taking a cyber security approach, move to a cyber safety focus. The operations folks understand preventative maintenance, emergency procedures, and risk management from a safety standpoint – let’s go talk their language instead of ours. Accident Zero = Incident Zero.
Second, align IT and OT technology infrastructure strategy, security, and architecture (I know, easier said than done). As the convergence gains steam, it’s time to revisit the two-headed CIO-IT and CIO/CTO/COO-OT structure that’s typical. Ultimately one person needs responsibility for both environments, and the CISO should report at that level – not just to the CIO-IT (or even further down the chain). If there’s a chief risk or safety officer, that might be a good place for security to live.
Third, work with procurement to incorporate security requirements into both IT and OT purchases. Some key ones are:
- Secure update capability
- Compatibility with major security solutions (endpoint, SIEM, antimalware)
- Security SLA, including long-term commitments for patches on major capital equipment, remediation timeframes, and vulnerability alerts and disclosure guarantees
- Pen testing and vulnerability scanning of OT components prior to release
- Hands-off remote support – i.e. vendor does not have direct access without local staff involvement. I prefer a screen sharing approach, where the vendor tells staff what to do, so it’s always in-house hands on the keyboard.
Net: Don’t buy things that can’t be updated, or from vendors that don’t have a security plan.
Fourth, leverage what the IT folks have learned to secure the OT environment. That includes vulnerability assessments and triage of assets. If (when?) risks are found, have a mitigation plan put in place quickly. Two cautions: remember that airgaps aren’t a panacea, and the IT folks need to realize that ‘maintenance window’ has a very different level of flexibility in the OT world than the IT – even in a cyber emergency. The OT environment has to be able to function – perhaps for days or weeks – with an active threat. Shutting down a blast furnace or drilling rig for a patch or other remediation is neither quick, nor cheap.
In the end, we’re going to see more Black Energy and similar attacks – I had one CISO speculate that their network was likely hosting bad guys who had access, but were dark and just waiting. Kind of like pre-positioning military equipment in case you need rapid deployment. While there’s a touch of FUD there, there’s also a bit of probability. The convergence is happening, and it’s being driven largely by folks figuring how to make it work, not people wondering how it’ll break. That’s human nature. So, it’s up to we, the Cyber Safety professionals, to lead our IT and OT teams into a secure IOT future.