On July 14 Nozomi Networks’ OT Cybersecurity Strategist Danielle Jablanski hosted a cohort of government and industry experts to discuss “Building a Cyber Fortress: Preparedness and Resilience in Critical Infrastructure.” The webinar prompted experts to weigh in with concrete and practical recommendations, rather than a theoretical or idealistic wish list of things that sound like good objectives. Across the board, panelists shared their experiences and expertise, focusing on the past, present, and future of the ability for OT and ICS owners and operators to prevent cyber incidents that can disrupt their operations.
As Mark Bristow, Director of the Cyber Infrastructure Protection Innovation Center at MITRE noted, the chess board is often checkered with boogeymen (internal vulnerabilities) and ninjas (external threat actors). Too much focus on the boogeymen may lead to enumeration of CVEs that are unlikely to reduce an organization’s overall risk landscape, and which may not have requisite vendor patches or appropriate updates. Meanwhile, hyper-focus on threat actors that target critical infrastructure can lead to means-based, rather than effects-based assessments of the true level of damage that can occur for an entity or at a location.
Additionally, accidental situations and insider scenarios require special attention. In fact, OT end user survey respondents cite “‘negligent insiders’ as the single most common threat actor in control system security compromises.”
Pairing threat intelligence, access points and exploitable vulnerabilities, and the potential consequences of negligence is independent to each purpose-built environment and its mission. Luckily, there are many ways to reduce the severity of potential impacts.
Tackling Hard Problems
Operations that have digitized any part of their supply, delivery, or supervision, will continue to be highly disruptable targets that tolerate little to no downtime. Michael Dransfield, Senior Technical Executive, Control Systems Cybersecurity at the U.S. National Security Agency pointed out that increased automation, lack of visibility, and complex and just in time supply chains exacerbate the severity of potential impacts.
There are several ways to calculate risk depending on the capture of known vulnerabilities and existing capabilities, though these variables cannot determine your likelihood of being targeted. What is critical to protect will depend on what exactly is at stake for your mission.
Beginning with this end in mind, security postures can be assessed by how well they prioritize and protect the most critical equipment, processes, and systems used to carry out that mission. With that goal, a more practical roadmap can be established for introducing useful security tools, defense in depth strategies, and zero trust concepts.
Addressing Cultural Gaps
In the OT and ICS world there are few clear-cut paths to industrial cybersecurity professions. Meanwhile, the tacit knowledge required to understand operations environments is steadily declining. The talent gap in critical infrastructure extends beyond the ability to fill open requisitions, to the challenge of training, education, and awareness about both controls processes and non-enterprise security specifications.
Investing in people is as important as security tools are for advancing cybersecurity across critical infrastructure sectors. Training, professional development, exercises and simulations, apprenticeships, workforce retraining, tuition assistance, and on-the-job silo-busting are practical approaches to addressing the talent gap that can also be a risk compared to the growing ranks of capable threat actors in the world.
Gartner’s recent Cybersecurity Predictions for 2022-23 include “By 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties.” Ken Fowler, COO and CISO at the Cybersecurity Manufacturing Innovation Institute described the challenges associated with a cultural shift toward integrating cybersecurity more fully into process and safety conversations, and away from close C-suite meetings.
In the survey referenced above, a majority of OT end users responded that protecting public safety is the top control system cybersecurity priority. Functional safety monitoring for machines and processes is paramount across operations. Tying cybersecurity scenarios into safety requirements and regiments is a first step to producing this cultural change in practice.
Making Informed Decisions
The deterministic, purpose-built nature of OT/ICS has thus far demonstrated that no two attacks are ever the same, resulting in a lack of standardized data for risk calculations. At the same time, there are a myriad of formal, informal, and voluntary standards and compliance regimes to manage. As a result, the conversation during the webinar focused on making more informed decisions about risk and security controls despite these challenges.
Megan Samford, Chief Product Security Officer for Energy Management at Schneider Electric focused on three key takeaways for more informed decision-making: the importance of trust, the need for standardized approaches, and well-established engagement models—like Incident Command Systems for Industrial Control Systems.
Director of the Office of Cybersecurity, Energy Security, and Emergency Response at the U.S. Department of Energy Puesh Kumar also highlighted the cybersecurity decisions that can be proactive for new developments like clean energy systems and deployments to tackle the challenges of climate change. Many technologies, and renewable and green energy systems, have the potential to build security in by design, rather than bolting on point solutions as an afterthought. The same can be said for integrations and the hyperconnectivity of many IoT and big data projects.
Making Informed Decisions
No single vertical can possibly solve the growing cybersecurity challenges alone. While prescriptive guidance can leave many end users scrambling to check boxes on an audit form, asset owners are tasked with keeping pace with the explosion of adopted technologies, supply chain incidents, and growing threat landscape. Several opportunities sprang from the discussion—opportunities for future research, collaboration, trust building, and standardization. Below are the top three opportunities outlined across critical infrastructure:
- Building community trust: relationships between manufacturers, resellers, integrators, end users, consultants, and security providers require quality control—realistic and evidence-based expectations for cybersecurity are necessary to evaluate and sustain trust.
- Broad, simple campaigns: a coordinated push from the community of stakeholders working to build trust can go a long way in promoting broad campaigns, like cyber hygiene campaigns, to urge control system owners and operators to remove internet connectivity wherever possible, or to emphasize reducing their numbers of un-inventoried devices or “shadow” technologies.
- Secure product design and architectures: there is a new urgency for developing products with security by design, and secure architectures that account for the entire product lifecycle and incorporate both legacy systems and new devices and technologies. In particular, the staples of a Cyber-Informed Engineering Strategy can help to inform these strategies.