If you thought things were bad in the world of IT network security over the past decade, I have an incredibly bleak thesis to present to you.
Despite the collective failures in that space – leading to billions in stolen intellectual property, massive intelligence gains like OPM, hundreds of millions of stolen identities, etc. – there were clearly major advances in terms of security controls. Countless innovations – tons of investment in terms of people and money, the birth and evolution of an industry/subindustries, a proven ability to respond to (although not foresee) emerging threats – depict a tremendous number of positives hidden behind the losses. That focus is why we currently have a market of approximately 2,000 security solutions (the value of which is a topic for another discussion).
In the world of critical infrastructure/industrial control systems (ICS) security (aka operational technology), despite nearly two decades of discussion around nightmarish cyberattack scenarios and outcomes, the past 10 years can arguably be labeled “The Lost Decade of Information Security.”
I would argue that we are no better off today in terms of cybersecurity readiness than we were 10 years ago. This belief keeps me up at night and wakes me before the sun many mornings as the threat landscape is clearly growing more active and dangerous by the day. The theoretical is becoming reality and, unfortunately, we aren’t prepared to counter the threat just over the horizon.
What is encouraging is that in the past two years – and notably the past few months – we have seen an accelerated pace of awareness and prioritization being given to ICS security. The emergence of new startups in the sector, the newly found focus of entrenched security companies, the level of discussion among CISOs, board members, etc. shows some light amid my otherwise dark skies analysis. What’s discouraging is that all of what I’ve just listed has come as a result of an increasing amount of targeted and spillover attacks into this domain.
Where We Went Wrong
• Failing to “bridge the gap” between IT and ICS (Engineering) staff – These teams approach the world with completely different viewpoints, backgrounds and missions. ICS staff have safety and uptime as the core thought in every decision they make – and they have zero tolerance for the introduction of security controls which jeopardize either. Even a concept as basic as patching is problematic as it brings downtime to production. These teams have made strides in terms of working with one another; but a lack of solutions built specifically for ICS, that don’t jeopardize uptime and safety and offer a demonstrable value to both teams has resulted in a closed-door policy in most cases. “I own the shop floor. I need to keep production moving. I need to make sure nothing fails that could cause safety concerns for our teams or the public. “NO – you are NOT putting that in my network.”
• Falling victim to the notion that prescriptive commands/standards could and
would be implemented – Kudos for giving ICS security focus. Kudos for developing regulations such as NERC CIP to mandate security controls in this domain. But, while standards such as IEC 62443 have done a very good job outlining controls which COULD be applied, anyone who has done hands-on work on these networks knows that they are NOT easy to apply. While in theory the right thing to do, many of these recommendations are simply not practical when considering business requirements. Also – as is the case with virtually all standards/compliance type regimes – what is intended as a floor, too often becomes a ceiling.
• Trying to force the “square pegs” of IT security into the “round holes” of ICS networks – IT security tools were not designed for fragile ICS networks. Approaches like active scanning, active querying and other “standard IT tools” have crashed PLCs, interrupted uptime and caused significant problems when implemented. We know of one real-world, recent example where a WIDELY utilized network scanning tool caused an electrical outage.
• Delaying investment because “these attacks are theoretical – they aren’t happening” – Logically, cybersecurity budgets over the past decade were dedicated to the areas where the bleeding was occurring. Have no idea who’s inside your network? Full packet capture and forensics tools. Dealing with a million point solutions? SIEMs and orchestration tools. Suffering under the scourge of spear-phishing? Advanced endpoint solutions, etc. Makes sense and you can’t really fault people for investing this way. However, this “whack-a-mole” approach to dealing with cyberthreats has resulted in woefully underfunded programs for ICS cybersecurity. I fear that this shortsightedness will soon prove to bite us. The theoretical attacks we’ve discussed for 20 years are manifesting in examples such as Stuxnet, Ukraine ’15 and ’16, the spillover from WannaCry and Petya/NotPetya, etc.
• Believing that the concept of “air-gapped” networks were ever a reality/would stand up against business and efficiency demands – “We’ll design the network so it can’t be accessed from the outside/so there is no interconnectivity with the IT network.” Sounded good for a time, but business demands have eradicated the notion of an “air-gapped” ICS network. Maintenance requirements, connectivity to the supply chain, remote analytics, managing “top floor to shop floor” KPIs, the desire to drive predictive analytics – these needs have seen “air gapping” go the way of the dinosaur. As a result, air gaps now have one thing in common with unicorns – they don’t exist.
• Difficult to implement, hard to consume, cumbersome to maintain previous-generation ICS specific solutions – There have been a number of promising ICS specific cybersecurity solutions that have emerged and failed to gain mainstream traction over the years. Difficulty in implementation (let’s put this firewall in front of every PLC), difficulty in consumption (massive installation projects, significant upfront time to configure) and unwieldy/unrealistic maintenance requirements saw these promises fail. They simply didn’t understand the unique needs of the ICS consumer.
Overcoming the Lost Decade of ICS Information Security
We lost a decade and now the threats are at our doorstep. We clearly don’t have a decade to evolve through the same layered/defense-in-depth strategies that marked the last decade in IT security. The slow pace of evolution won’t work – we need a revolution.
So, practically, what actions can we take – right now – to vault the state of ICS security forward?
First, we need to stop “studying” the problem. With due respect to the recent Presidential Executive Order calling for a review of critical infrastructure cybersecurity readiness, we’ve conducted studies, analyzed and seen countless recommendations sit on desks around the globe. We need immediate focus and investment from government, board rooms, CIOs/CISOs, ICS owner/operators, security vendors and ICS equipment manufacturers on the problems confronting us.
We need a reference architecture which delivers the “biggest bang for the buck” and the most rapid increase in security readiness. An easily and rapidly (i.e., months not years) implementable framework which focuses on risk assessment, real-time monitoring, high-risk vulnerability management, threat intelligence, advanced endpoint protection and rapid response.
Unlike two to three years ago, technologies exist today that are acceptable to both ICS and Security teams. The discussion needs to stop and, collectively, we as stakeholders need to take action. The threat is real and just over the horizon.