July 22, 2021
The 5×5—If it blinks, it sinks: Adventures in securing operational technology
Operational technology (OT) cybersecurity encompasses the software, hardware, policies, personnel, and services deployed to protect physical systems. These systems comprise the backbone of national critical infrastructure and represent tangible links between society and its digital tools and data. Energy, water, maritime, and transportation – all enable modern society on the back of operational technologies. In the past, these systems were more isolated and disconnected from other systems, with far more emphasis given to safety of their users than security of their component parts. No longer. With rising sophistication, automation, and interconnectivity in these operational technologies, security has become an overwhelming need. To help bridge the gap between the wider understanding of information technology and the often different, sometimes quirky, world of operational technology, we brought together a group of five leading voices. They share insights into trends in the cybersecurity of operational technology, dig into implications of recent events, and share their perspectives on what needs to change and how.
#1 What is the most common misconception about solutions for OT security?
Andy Bochman, nonresident senior fellow, Global Energy Center; senior grid strategist, national & homeland security, Idaho National Laboratory:
“The most common misconception is that for practical purposes, one can have confidence in anything called an air gap in 2021 – or in anyone still using that term.”
Bryson Bort, founder & CEO, SCYTHE:
“The biggest misconception is why there are systems with end-of-life operating systems and that the “just patch it” credo does not just work. The primary design considerations for this equipment are high availability and a long life-cycle. As a result, they will inherently outlast the vendor support for those operating systems. You cannot patch what is not even available, and that only applies to the equipment that even has the ability to be patched (many do not).”
Lesley Carhart, principal industrial incident responder, Dragos:
“One common misconception about building a healthy OT cybersecurity program is that industrial operators do not care about cybersecurity. In fact, industrial engineers spend a great deal of time contemplating and mitigating process risk, regardless of cause. They constantly make risk decisions for the purpose of safely maintaining consistent operations. Cybersecurity professionals would be wise to learn from them in order to communicate in a common language and better convey cybersecurity threats, and also to better our own risk evaluation skills. Miscommunication has led to frequent animosity between IT and OT teams.”
Danielle Jablanski, senior research analyst, digital innovations, Guidehouse Insights:
“The most common misconception about solutions for OT security is that commercial, off-the-shelf tools will solve a multitude of problems immediately. The cybersecurity market for IT is fragmented and, while there are fewer products for OT environments, none are one-size-fits-all for securing industrial environments. Solutions need to be implemented as part of a robust and dynamic security posture, fine-tuned to accurately represent the environment, and assessed for each specific industrial vertical. Technology is operationally different between transportation systems, manufacturing plants, and electric grids, and security should be too. It is also a good reminder that OT cybersecurity is not only for the energy industry.”
Kurt John, chief cybersecurity officer, Siemens USA:
“Install the solution and monitor the dashboard and you are all set. OT environments are almost like fingerprints – each one is different. There is a lot of work needed to calibrate to reduce false positives and get a good line of sight to potential threats. Most importantly though, there is a multi-year strategic and financial commitment needed from management to navigate the risk reduction journey that is often so challenging in OT.”
#2 The ransomware attack on the Colonial Pipeline in May 2021 made front-page news. What is your biggest takeaway from this incident with regard to OT security?
Bochman: “My biggest takeaway is that, as with Norsk Hydro, ransomware need not cross IT/OT demilitarized zones or reach into OT systems to wreak havoc on operations.”
Bort: “OT does not need to be directly affected by an attack for there to still be an impact. Just the threat of affected operations can be enough. Colonial Pipeline’s OT was not directly compromised, but the pipeline operators took its systems down because scheduling and billing were not operating effectively, and they were concerned that the attack would spread to OT.”
Jablanski: “Beyond the fact that corrupting IT systems can have an impact on industrial operations, my biggest takeaway is the realization that several known unknowns have not been addressed for critical infrastructure cybersecurity. Risks to industrial control systems have been reported to US government agencies since at least the early 2000s, including internet connectivity and insecure remote access. The wake-up call is not that cyber vulnerabilities suddenly exist in these environments, but that they have yet to be addressed or appropriately prioritized across many regulated and unregulated private and public sectors.”
John: “My biggest takeaway is that we need to apply a more consistent and comprehensive approach to security controls throughout our various OT environments. While OT environments can be non-homogenous and age at a much slower rate, we have an opportunity to be more intentional about how we go about securing critical infrastructure. From food production to water treatment facilities to mission critical software, we need to better protect the systems that keep our country moving.”
#3 What under-the-radar sector relies on OT, the security of which we may take for granted, that is prime for exploitation?
Bort: “Instead of a specific sector, which are fairly well defined by Presidential Policy Directive 21, I think your average business does not understand that they operate in an OT environment. OT underpins modern society: water, electricity, and fuel. Without any of those elements, we go back to the Stone Age pretty quickly. Furthermore, there is OT integration into office buildings for automation systems, HVAC, etc. You work in an OT environment; you just did not realize it.”
Carhart: “In the United States, municipal utilities tend to be less resourced than others, and are frequently responsible for water and sewage treatment. They are simply often smaller organizations with limited IT teams and budgets, and that directly impacts the humans and tools they have available to perform cybersecurity functions. This means that water services in the United States are frequently a nexus of potential health and safety consequences and poor cybersecurity resourcing and budgets. To compound this problem, Americans tend to not consider water or sewer outages (or contamination), as they are not a routine problem that they face like power outages. In other countries, regulation, resourcing, and ownership of utilities may look quite different.”
Jablanski: “Satellites and space-based systems, both commercial and military, which will be increasingly interconnected in the future according to the director of the Space Development Agency. We know that all fifty-five of the National Critical Functions vital to United States for connections, distribution, management, and supply of critical infrastructure depend in one way or another on space-based assets. Any exploitation that threatens the access, integrity, and control of these systems could have an outsized effect in any critical infrastructure sector – finance, healthcare, transportation, emergency services, and more.”
John: “Shipping and dock management. While the pandemic revealed the impact of compromised supply chain due to reduced manufacturing, it’s made it clear how exposed we can be. Imports as a percentage of gross domestic product is about 15 percent and exports about 12 percent. It’s a very complex system that is ripe for exploitation and could have a devastating impact on our economy.”
More from the Cyber Statecraft Initiative:
#4 What is one policy change that you would like to see in order to better protect core critical infrastructure and the OT that operates it that could realistically be implemented in the next two years?
Bochman: “Aim for resilience, understand how to operate in manual or near-manual mode, and practice doing it repeatedly.”
Bort: “The Cybersecurity and Infrastructure Security Agency (CISA) should provide a technical catalog of tools and configurations that it curates and maintains for the sectors under its purview. Instead of thousands of places fundamentally trying to individually solve the same problem, we can centralize the work and provide an improved baseline. Instead of throwing more paper at asset owners and operators, the US government can offer real carrots that owners and operators can take advantage of.”
Carhart: “I would personally like to see more affordable and accessible resources provided to smaller utilities for security monitoring, threat intelligence, incident response, and cybersecurity assessments. There are agencies like CISA making great strides in this space, but we need to see (and fund) more!”
Jablanski: “I would like to see policy which promotes greater cooperation between cybersecurity leaders and industrial control system (ICS) vendors, to create an incentive to pursue cybersecurity credentials and qualifications to encourage healthy market competition on cyber best practices and hygiene. Federal legislation or expanded certification bodies could enable OT/ICS vendors to do a better job addressing the environment-specific impacts of known or discovered vulnerabilities, without pursuing a compliance-based approach, and alleviating some end user burdens. A governmental push for vendors to create reference lists for specific vulnerabilities in specific industrial environments could be one priority to complement general product advisories and vulnerability scoring systems.”
John: “Given the complexity and variety of environments over the various sectors, a good two-year goal should be driving transparency. Driving transparency is a much more nuanced effort than most may think. With transparency, our short- and medium-term goals can get validated or calibrated as needed, while we work on a long-term strategy that addresses the IT/OT convergence.”
#5 What is the low-hanging fruit for better protecting OT? Where can the least resources go the longest way?
Bochman: “The answer to the low-hanging fruit question is always: do a fuller job with discovery, asset management, inventory, or whatever you want to call it. How can one secure what one does not even know they have?”
Bort: “Segmentation is a powerful defensive tool – what cannot be touched, cannot be hacked. However, the challenge in implementing segmentation is that it increases maintenance and can make operational tasks more difficult. Security is not the only factor in deciding what or why something should be architected a certain way.”
Carhart: “Solid environmental understanding and planning in advance for a cybersecurity incident goes a long way. While many organizations have relatively mature network maps, asset inventories, and basic security hygiene implemented in their enterprise networks, OT networks often fall behind for a multitude of reasons. As an incident responder consulting for these organizations, I often have to spend a significant amount of time building basic environmental awareness and procedures for an organization before I can begin effectively analyzing and containing a threat. It is much more cost effective to perform these essential preparatory tasks in advance of bringing in consultants on retainer or ad-hoc during an incident.”
Jablanski: “Securing OT networks requires knowledge of what data, devices and systems exist, and where, when, and how they communicate. First, audit what OT you already have to perform a full asset inventory and threat assessment with a cybersecurity team. This process can provide a map of the network, a detailed picture of the threat landscape, and what products, solutions, and services are needed based on the risks and priorities of the network and its stakeholders. Second, and most often overlooked, is the need to consider complex organizational (not technical) priorities in lieu of a breach/incident – legal, strategic communications, compliance, etc. If these priorities are not articulated before a cyber event, they almost certainly hamstring response capabilities and timelines.”
John: “Harmonizing information flow. The various sectors are still too siloed when it comes to information sharing. And even within those sectors, organizations hold critical information close to the vest. This creates the perfect playground for threat actors and results in a disjointed approach at the national level. Communication and collaboration are key to cybersecurity.”
Will Loomis is an assistant director with the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and national security with cyberspace. Follow him on Twitter @loomisoncyber.
Simon Handler is an assistant director of the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and international security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.