Published on April 18th, 2022 📆 | 5192 Views ⚑
0IT/OT convergence, frameworks and cybersecurity threats
When you read your favorite cybersecurity blog, do you often wonder what it would be like to sit down with the authors and get their real thoughts about some of the topics they write about? Most blogs and articles are so carefully curated, edited, fact-checked, and linked to supporting evidence that they can seem somewhat stilted, and worse, heavily contrived. Perhaps this is why meeting some of the speakers and authors at public events is so much fun. It gives us all a chance to hear the person in an informal setting, with all the possible candor that makes for a true connection.
We thought this may be a good approach for a new series that we call âPub Talkâ. It gives us a chance to get an unvarnished glimpse at some of the cybersecurity issues of some of the popular and respected experts in the field. These are the conversations that we all want to have over our favorite beverage. Unbridled, honest, yet still family-friendly, we hope you enjoy these casual conversations.
In our first chat of the series, we imagine ourselves at the Revolution Bar on Clapham High Street, in London. As the drinks are served, I am joined by Henry Partridge, from Belden, and Lane Thames, and Tyler Reguly, who are both from Tripwire.Â
Richard:Â From an OT security standpoint, what is the top of your list as far as OT security is concerned?
Tyler: I think a lot of it is that low-hanging fruit idea. One of the things that, even today when I was looking at the latest in the CSA industrial alerts, the very first one on the list was the problem of hard-coded credentials. Things that we were fixing in the nineties in IT are just being discovered in OT as we start to do a lot of IT/OT convergence. And, so, I think one of the big things that I notice is that we have all these little issues, whether itâs systems that donât work, or hard-wire passwords sitting on the factory floor or itâs these systems that are going onto our networks where the vendor says, âwell, our best practice is to not plug it into your local networkâ.
Henry:Â Itâs obvious that people are going to want to have remote access into these plants, and those types of devices are inherently insecure, especially as you open up different systems, that may be not as secure as you would expect them to be even outside the plant. You definitely want your low lying fruit to be taken care of like Tyler was saying.
Richard:Â What are some of the best tips, or tricks, because remote access just seems like itâs going to happen. How do you mitigate that risk?
Henry: You want to establish a security perimeter that you say, this is the plant, this is where the dataâs coming from. Then you want to put in some kind of restrictor or firewall at that point. Possibly even a DMZ, where you can push the data from the plant into the DMZ, and then from that DMZ, you allow only certain connections to happen.
Richard: Good advice there. It sounds almost historical. I mean, thatâs where we once were. We had industrial control systems created without having to worry about security. Lane, how about you? I didnât get a chance to turn to you about some of your top-of-mind OT security concerns.
Lane: When I look at 10 years down the road, five years down the road, the problem with this is about segmentation and firewalling and stuff in terms of opening up firewall holes with policies. The, the thing that I see in the future is scale. Just today, we had a heated debate on what to call an âedge deviceâ in the very near future. As we start retrofitting or replacing and refurbishing legacy systems with cheaper and more powerful systems with, in particular, more powerful communication and computing capabilities and the ability to communicate over an IP based network, this is where the scale aspect comes in.
Richard: Tyler, Iâm intrigued, from your perspective, as far as IT/OT convergence itâs some scary movie where the Monsterâs right behind you. Whatâs your perspective on that convergence, and where are we, and maybe a prediction about when that gap actually closes?
Tyler: Itâs interesting, because, you referenced a horror movie monster, but weâre now seeing horrors that are built around IoT devices, and they feel much more realistic and more frightening to look at, where you see these devices that are allowing people direct access to your network through any number of means; great for automating little tasks and stuff, but in order to have that, I now have to have a hub in my home. It has to have a connection to the internet. It has to receive data back in from other services. So, now Iâve got not just these devices that people could potentially connect directly to, but Iâve also got paths in from the various service providers because it uses a cloud-based model.
Whether you look at these home IoT devices or medical IoT devices or military IoT or industrial IoT, any of these devices have that same problem where weâve become reliant on various cloud providers that are giving us access to our data either through their systems. This means that now we get into those supply chain issues where we have all of these different other cloud service providers that have a path through our network.
There is a television show on where the last episode was literally about taking out a power grid, and the way that they approached it was that it was to compromise of one of the service providers. Yes, it was a TV show. Yes, they simplified things, but that sort of attack of all these different cloud service providers that weâre giving paths in and out of our network, even if itâs just temporary is a really scary thing that I donât think weâre looking at, especially in terms of IT/ OT convergence. Weâre thinking about them in terms of maybe it, weâre not thinking about what that means to the industrial networks that weâve connected to our IT networks. I think thatâs going to be the next round of horror movies.
Richard: Do any of you think that thereâs going to be some type of ISO certification, or a seal of approval or something where these millions of devices have been identified at some level of security? A scale of one through five, instead of having to run it through your own lab and building your own security or practice around it?
Lane: I know that folks that I work with have been talking about this. Some type of an organization that could actually say, âHey, this is a good, certified device.â If you think about some of the recent executive orders and stuff that has been happening recently, I would hope that some type of standards organization would come in to help with certifying certain types of things. But if you think about industrial systems, what about a car? These cars that communicate over the air. People donât really quite realize that even maybe some of the gadgets we buy, like the thermostat in your house, what can a criminal do?
Richard: From an operator standpoint, whatâs the first couple of steps or approaches that youâd recommend in order to try to quantify the problem?
Lane: From an operational perspective, visibility is first and foremost. You canât protect what you donât know you have. If you bring in a crazy device, like a Wi-Fi connected device, and you put in the employee kitchen for your employees to use, you canât just do that and it benefits the employees, because that device might be a foothold for a criminal who wants to break into your OT network. Visibility across the entire space of IT and OT is going to be first and foremost in this process.
Henry: Those entry points in and out of the OT environment are key. You have some kind of devices that can monitor that traffic and possibly even send logs or to a correlator that can trigger some sort of alert about unusual traffic. I agree with Lane that you have to have that visibility to see the anomaly.
Lane: We mentioned earlier this idea of an air gap, but the phrase âair gapâ needs to go away because we can no longer provide a guaranteed air gap. There are so many connected OT devices, that you canât even imagine in terms of the scale. Visibility in terms of, if you know whatâs on your network, then the next step is that you should know where itâs connecting and how itâs connecting.
Tyler: I teach my students who donât promote industrial security how you can easily find exposed devices on the internet. I encourage everyone to try and diagram every connected device on their home network. I tried this in my apartment. My apartmentâs under 700 square feet. I still could not get every single connected device that I have. I looked at it and revisited it multiple times. And every time I scanned my network, I found new devices. If you canât diagram your entire home network, how are you ever going to know whatâs on your network in the enterprise, whatâs on your network, on the factory floor. Itâs absolutely impossible.
Richard: The visibility challenge is big enough, let alone trying to get âunderneath the hoodâ of these devices to figure out where and how they were manufactured. I like how you illustrate it, and how and both of you have talked about just kind of the evolution of the industrial spaces. Itâs a relatively immature space. Henry, how do you see IT getting involved with OT? How do you see that convergence happening?
Henry: Well, I think there could be some good things that IT can offer us as far as some of what theyâve had to deal with. For example, IT has been working with remote access a lot longer than OT has. For OT, itâs more of a new thing. Maybe there could be some more defense in depth by pulling remote access through the IT network and keeping in and gaining that little, extra wrapper of security that they might have, but then thereâs also risk there too. It depends on how well the IT space is secured.
Tyler: I think there are two spaces where Iâd like to see huge improvements in growth. One is that a lot of more active IT security technologies have been pushed out to the OT space, and thatâs due to instability and OT products. Letâs use printers as a hypothetical example, even though theyâre not OT necessarily, but the idea that these products are built with very weak TCP stacks that canât handle a lot of the active discovery and active scanning techniques that we see. Iâd really love to see the vendors of these technologies take a more active step in making systems that are more robust. And the second one is I would love to see a lot more IT/OT convergence when it comes to not only the technologies, but red teaming and blue teaming exercises.
Lane: Richard Feynman said one time, that it was a beautiful time to be a physicist. To me, as an engineer, Iâll say itâs a beautiful time to be an engineer because weâre entering a new world where itâs very exciting. One of the key things of doing this is significant interdisciplinary collaboration between those involved, the IT and the control engineers, and the OT folks working together.
Richard: What are the biggest cybersecurity threats right now? Ransomware, internal breaches, remote access, industrial espionage?
Tyler:Â Can I say âall of the above?â I mean, if you look at the news right now, itâs probably ransomware thatâs driving a lot of the news that weâre seeing. I think most organizations need to do a much better a job of making their staff aware of what they can and canât do what they can and canât click on. Thatâs always going to be a huge threat until we figure out a better way to deal with that.
Lane: Ransomware is one of our biggest threats, and the vector to get in is often phishing. And, as Tyler just mentioned, this is based off of poor awareness and such, but there is also an increase in threat actors in criminal organizations that implement advanced persistent threats, or APTs as we call them, that are starting to focus and drill in on ICS networks, industrial control system networks.
Henry:Â I think in this environment where everyoneâs trying to work from home and take advantage of remote access, it just accentuates the risk that weâve talked about and that Lane and Tyler just talked about, because it opens up more doors.
Richard: From my standpoint, itâs a âfollow the moneyâ approach, and certainly ransomware is the most present monetization of cybercrime. When you describe a network as ârobustâ, what do you think is the best way to demonstrate that?
Tyler: The CIS controls that were updated this year is a great starting point. I think if you can get through those controls, thatâs robust. If you have questions about them, the State of Security blog has been reviewing one control a week for the last 14 weeks. If you can look at those controls and say, âHey, Iâm practicing all of that on my networkâ, I would consider you to have a robust network at that point.
Lane: We talked about devices that might be connected to the internet, but applying these controls is especially critical in the top of your IT organizations, because thatâs how the attackers are getting in to get into your OT networks. Keep in mind that in many, many cases, breaking into the IT network can shut down your OT networks. The Colonial pipe incident is a perfect example of that particular case.
Henry:Â Yeah, I think a good network design is helpful in creating a robust network. If you look at the NIST guidelines for ICS networks, that would be a good place to start to get some basic good network design and, and robustness for your networks.
Richard: It looks like the bartender has made the rounds for last call. This has really been an excellent time chatting with you all. I definitely learned some things here today. And practicing robust security and being protected is why weâre sitting in these seats. And we will continue on this journey, because there is no endpoint. The bad people out there continually get creative and keep us employed and active.
And, with that, we got our coats and walked off towards the Clapham North tube to head home, considering what the future holds for IT/OT convergence, and every other cybersecurity concern.Â
Be sure to subscribe so you can sit down with another group of cyber professionals for our next edition of Pub Talk.
Register for the next Tripwire Industrial Cybersecurity Pub Talk
Gloss