Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

IT + OT = Internet of Threats: Securing a Converged Environment

By

© www.depositphotos.com / RA Studio

Back in the dark ages, before IOT, cloud, daily data breaches, and worldwide ransomware alerts (you know, before 2005), the utility industry started to become enamored with the idea of a smart grid and began merging the IT and OT networks – that’s one version of Internet of Things (IOT).  Unfortunately, IOT these days most often means ‘Internet of Threats’.

And that brings us to IOT security, because there’s common challenges across $15 webcams and $1.5M transformers and pumps.  In this post, I’ll address the industrial scale challenges, and pick up the consumer ones in another post.

In the past, the operational network (OT environment) usually ran SCADA over serial lines, and those networks weren’t directly accessible from the TCP/IP (IT) networks that ran the information systems.   To be sure, there was little security in the SCADA environment – in many cases you could plug directly into a remote terminal and have access to equipment, but you had to actually go on-site (or to a central control point) to do anything.  With the advent of SCADA over IP, those networks and that equipment is now largely routable from the Internet.

These devices were engineered with safety in mind, not security.  Some have direct code running on the device itself, and others are controlled by a workstation – but neither have good update mechanisms available.  Plus, many vendors never provided updated control software for the workstations, nor will allow security tools to be installed on them, so we have a lot of XP still hanging out in the world running multi-million dollar equipment.  At the time, perimeter control security architectures were all the rage (to be fair, that’s about all we had), so the IT and OT networks were segmented and firewalled off from each other.  That worked for a while…or so we thought.

Unfortunately the bad guys have gotten a lot better.  While moats and castles are great, they’ve gotten very good at sneaking in over, around, under or through a door someone put in the wall.  Sometimes there’s a PC with a modem running PCAnywhere (I kid you not – saw that last year) that they get through, and sometimes it’s sideways movement through the network.  In either case, they’re already inside.  On the IT side, it’s bad.  On the OT side, it can be catastrophic and life threatening, as we’ve seen recently with the attacks on the Ukrainian utilities.   So, the response was to stand up a separate OT security infrastructure – everything from SIEM to endpoint (where vendors allow), and all the other tools.  The challenge is that by segregating the IT and OT security infrastructures, you lose the ability to track movement across the organization.   This challenge is growing as the IT and OT environments are continuing to merge into a single infrastructure, not to mention the risk of OT penetration as a result.

So, what to do?  First, for companies with a large OT network – utility, oil & gas, petrochemical, and so forth, leverage your strengths.  Instead of taking a cyber security approach, move to a cyber safety focus.  The operations folks understand preventative maintenance, emergency procedures, and risk management from a safety standpoint – let’s go talk their language instead of ours.  Accident Zero = Incident Zero.

Second, align IT and OT technology infrastructure strategy, security, and architecture (I know, easier said than done).  As the convergence gains steam, it’s time to revisit the two-headed CIO-IT and CIO/CTO/COO-OT structure that’s typical.  Ultimately one person needs responsibility for both environments, and the CISO should report at that level – not just to the CIO-IT (or even further down the chain).  If there’s a chief risk or safety officer, that might be a good place for security to live.

Third, work with procurement to incorporate security requirements into both IT and OT purchases.  Some key ones are:

  • Secure update capability
  • Compatibility with major security solutions (endpoint, SIEM, antimalware)
  • Security SLA, including long-term commitments for patches on major capital equipment, remediation timeframes, and vulnerability alerts and disclosure guarantees
  • Pen testing and vulnerability scanning of OT components prior to release
  • Hands-off remote support – i.e. vendor does not have direct access without local staff involvement. I prefer a screen sharing approach, where the vendor tells staff what to do, so it’s always in-house hands on the keyboard.

Net: Don’t buy things that can’t be updated, or from vendors that don’t have a security plan.

Fourth, leverage what the IT folks have learned to secure the OT environment.  That includes vulnerability assessments and triage of assets.  If (when?) risks are found, have a mitigation plan put in place quickly.  Two cautions: remember that airgaps aren’t a panacea, and the IT folks need to realize that ‘maintenance window’ has a very different level of flexibility in the OT world than the IT – even in a cyber emergency.  The OT environment has to be able to function – perhaps for days or weeks – with an active threat.  Shutting down a blast furnace or drilling rig for a patch or other remediation is neither quick, nor cheap.

In the end, we’re going to see more Black Energy and similar attacks – I had one CISO speculate that their network was likely hosting bad guys who had access, but were dark and just waiting.  Kind of like pre-positioning military equipment in case you need rapid deployment.  While there’s a touch of FUD there, there’s also a bit of probability.    The convergence is happening, and it’s being driven largely by folks figuring how to make it work, not people wondering how it’ll break.  That’s human nature.  So, it’s up to we, the Cyber Safety professionals, to lead our IT and OT teams into a secure IOT future.

Data Breach Liability & Credit Monitoring

By

(c) www.depositphotos.com / @ the_lightwriter

Apparently there’s a proposed settlement for the Anthem breach.  As a refresher, this was one of the largest data breaches on record, with roughly 80 million individuals data compromised.  The settlement breaks records – for $115M.  But is it a good settlement?

What victims are going to get is two years of low value credit monitoring – at a cost of $659/person or about $50M (assuming everyone signs up). There’s also a potential for folks to claim actual costs associated with the disclosure.  The attorneys are getting about $39M – nice paycheck there.   I’ll leave comment on the fairness of the legal fees alone, and just focus on the first two, because ‘two years of credit monitoring’ seems to be the industry playbook for a data disclosure.

That playbook covers both credit card data theft, medical records, as well as other financial information.  Unfortunately, the risk and impact can vary widely depending on what’s stolen.  When Target, Home Depot, or TJ Maxx lost credit cards, it’s an annoyance – have to get a new card, maybe a couple of phone calls, and you’re done.  Debit cards have much more liability and can be harder to recover from.  As an aside, that’s why I recommend against using – or even having – them, as they have a much lower level of legal protection than a credit card.  In those cases, two years of credit monitoring might be fine.

Situations where your fundamental data is lost – SSN, birth date, medical history, banking information, and so forth presents life-long risks.  These range from on-going identity theft, criminal fraud, extortion, loss of employment or other opportunities and so forth.  In those cases, as with Anthem, two years of monitoring is inadequate given the long term impact.  It’ll take the bad guys more than that long to work through that number of records.  This is a business for them, and they’re likely to just be patient and wait to use most of them until after the free period expires.

And let me be clear, I’m right there with Brian Krebs opinion of credit monitoring.  It’s overpriced, and at best will let you know that your credit was just stolen, not prevent it from doing so.  He recommends (and I wholeheartedly echo) that the best option is to get a credit freeze from all four agencies.  Rather than recreate his good work, here’s a link to instructions on how to do it.  Even if you weren’t part of this breach, it’s worth doing as a preventative measure – as is creating accounts with IRS and Social Security Administration.  Oh, and if you freeze your accounts, monitoring services are useless, as third party ones can’t see anything, and the in-house ones can only see in-house data.

Take a few minutes and go do that (if you’re at a secure system), I’ll wait……

Ok, all done?  Good.  If you want to hedge your bets, getting coverage for identity restoration services might be worthwhile.  State Farm and AllState offer a rider for homeowner’s policies that’s affordable.

As far as documenting actual costs and getting them recovered, you might be able to get the cost of placing a freeze covered, but that’s about it – and I doubt they’ll cover the costs for the rest of your life.  Similar to when I’ve written about how hard attribution of an attack to a particular agent is, attributing identity theft to a particular breach is essentially impossible.  How aggressive will they be on proving a linkage?  It’ll be interesting to see.

So what would I like to see instead of this canned playbook?

  • Cash award option for the retail cost of the identity theft services offered. Lifelock’s top end one runs about $650 for two years.  That’d cover a big chunk of the freeze/unfreeze costs for many years.
  • Formal letter sent to each victim stating that they are at risk of identity theft. In many states, that triggers free freeze/unfreeze options.
  • Counselors available to help obtain freezes when there’s inaccurate information on credit reports that prevents the automated systems from working (I had that at one agency…extremely painful to resolve).

Tort reform, and caps on attorney fees are also on my list, but this is a security blog, not a political one.  But there is one political solution here – we need to reform data ownership laws.  If it’s our data, and these companies are just the custodians of it, and liable under law for abuse, misuse and disclosure, it’ll change behavior.

In the end we should all assume that our personal information either has been, or will be, captured by the bad guys and take appropriate precautions.  That means watching credit card and bank statements for suspicious activity, not answering any inbound phone call about personal information (call the company back from the number on your statement), getting a credit freeze and locking down other accounts, never, ever using a device other than your own for financial transactions and buying – and using – a shredder.

Cognitive Fuzziness – Getting the definition right

By

(c) www.123rf.com / Benjamin Haas

There’s a ton of hype about cognitive security in the marketplace these days, and the marketing departments are operating in full force.  So beyond the hand waving, cheerleading and me-too-ing, what do we actually mean by cognitive?

Cognitive involves three things:  The ability to mine data for information, the ability to recognize patterns in that data, and the ability to understand natural language.   The key component across all of these is an ability to reason and infer on a probabilistic basis from the context of the information.  But it’s not Lt. Commander Data from Star Trek fame – cognitive isn’t artificial intelligence.  It’s more like the library computer in the original series, that is, a machine that can answer questions put to it.  Cognitive is a foundational technology for AI, but we’re a long way from real AI – 2001 came and went without HAL, and so will 2017.

Machine learning, which is often confused with cognitive (sometimes deliberately) has been around for years, and while it’s an enabling technology, there’s no magic there.   It can be extremely useful, but also some limitations to keep in mind.  The models created are only as good as the data inputs and variables selected.  Poor input data yields models that may appear to work, but diverge over time, and you’d best hope that the data isn’t already compromised when the model is built.  Even when you have a good baseline, continuously updated models can be either spoofed (reset the ‘normal’ baseline over time), or destabilized by a persistent, and patient attacker.    There’s techniques to combat the attacks, so it’s worth asking about which ones are used.

Cognitive uses machine learning as a training tool when it’s being taught to understand a particular set of vocabulary and grammar – cybersecurity for example.   Traditional unstructured information systems simply operate on keywords and often metadata, but cognitive systems understand the context of the information components in relation to each other.  For example, if I talked about Apple’s CEO eating an apple while negotiating a contract with Apple, most engines would return the document based on a keyword – Apple, or potentially from tags or metadata a human added to the document.  A cognitive engine with a large corpus might return that document for questions about computer companies, fruit that grows on trees, and the Beatles’ record company, depending on how the question was worded.

So when using terms like machine learning, cognitive, or artificial intelligence applied to cyber security, it’s important to be crisp about which one is used, and what it implies. We’re not quite in snake oil territory here, but there is a lot of both intentional fuzziness and casual laziness in the press and marketing.  Regardless of which term though, remember that there’s no silver bullet that will solve your security challenges.  Cognitive is a force multiplier, but not a magic army.