Connected Automation Has Failed the First Rule of Cybersecurity

(Or What Brad Pitt Taught Me About Industrial Cybersecurity)

by Jim Cook & Dino Busalachi

“Careful, Bill, you’ll give yourself a heart attack and ruin my vacation.”

Sometimes worrying about today’s cybersecurity risks can feel like this. You implement a framework, identify vulnerabilities, evaluate those risks, address mitigations plans, and execute on process and technologies. Lingering thoughts remain about what’s missing, what’s changing, new vulnerabilities and wondering if you’re next.

If you’re in an organization with industrial assets in your environment, you may be Bill. Industrial floors are full of critical automation and sensors controlling the expensive assets necessary for production. Not so long ago, these Industrial Control Systems (ICS) assets were deployed on separate isolated networks and fell out of the IT cybersecurity scope.

As things do, the needs evolved and these control systems were dropped on the corporate network to take advantage of accessibility of resources such as terminals, remote access, printers, Wi-Fi, application integration and increasing data needs. However; that equipment, now referred to as OT (Operational Technology), remained out of IT control.

Traditional IT security protection approaches were to segment out the connected industrial equipment via Vlan, firewall and various separation methods. This was done for a few reasons:

1) the control systems running the equipment has operational ownership, 2) any maintenance would be directed through the vendor or contracted support, and 3) operational changes would occur behind the view of IT departments and their technology tool solution sets. The lines were drawn, this is where the IT responsibility ends and where the OT responsibility begins.

“The first rule of Fight Club is: you do not talk about Fight Club.”

The first rule in cybersecurity is: Identify. The initial core element of any cybersecurity framework is ‘Identify’ (e.g. NIST/Mitre ATT&CK) so a common technique is to put in place asset inventory tools to drive asset discovery in order to build current and accurate baselines. These tools do a great job of providing visibility and reporting through SIEM and CMDB/AMDB technologies.

Now here is the rub - many of the networked assets in an industrial environment are not easily recognized due to the fact they are not necessarily commonly discoverable assets. Additionally, these are likely out of reach of traditional tools due to the network segmentation techniques. And, possibly more important, scanning ICS Networks and assets is not recommended due to potential adverse effects of processing built into the controls.

Most ICS will switch to safe/stopped positions when communications are interrupted, and those traditional tools were not built for the industrial environments. An ICS without visibility poses a safety concern. Thus, on the OT side of the wall we have items that we cannot ‘Identify’ - which ultimately fails the first core element of a cybersecurity framework.

It used to be an acceptable risk. Dealing with cybersecurity is a constant weighing of risks. Previous alternatives to address risk, actually could introduce more risk. OT owns the equipment and IT owns security, so just put those ICS assets in an OT box and lock it up until you can safely identify, right?

“What’s in the box?”

The threats and vulnerabilities continue to grow, including increases from outside parties, state actors, malware, ransomware, viruses and constant changes in the OT and IT environments.

Fortunately, the capabilities to address these issues have continued to expand. New software providers have partnered with major industrial automation vendors to build those capabilities to see inside that box safely. Vendors like Claroty, Dragos and Nozomi have built products that provide visibility and monitoring into that OT box.

These products can safely perform passive “deep packet inspection” and create the updated accurate and current baselines of all the components on the OT network while integrating to the IT network. They can:

1) Recognize the connected industrial components and the communication protocols

2) Provide software and firmware levels, and

3) Understand who and what is communicating with these units.

Finally, there is a way to see inside that OT box.

“You must lose everything to gain anything.”

Let’s hope not. This is what we’re trying to prevent. Unplanned, unscheduled downtime is significant loss risk. Not to mention other potential damage to humans, the environment and ICS assets, extending downtime and costs.

Digital Safety is paramount in the industrial environment. As these emerging technologies continue to advance, it’s time to introduce these tools as part of a standard security procedure. If you don’t have the visibility, you don’t know the risks.

Put steps in place now to reduce the risk of losing anything or ‘everything’. The basics still stand. Start with Identify. Then once identified, Protect.

If you have industrial assets in your environment and don’t know or don’t have full visibility, it’s time to address ‘the first rule’. Find an expert knowledgeable in these emerging tools and techniques and ask the question.