Author: Author: Susan Bond, Sr. Program Manager, Solution Architect and Technical Leader
In my last blog, I may have scared everyone. We talked about how the Internet of Everything has become this epic evolution of technology AND security risk. But, as promised, there are solutions that we can all work toward to keep us better protected from cyber threats with the convergence of IT (Information Technology), OT (Operation Technology), and CT (Consumer Technology). I had previously explained that because of the fusion of these three technologies, the number of attack surfaces has exploded exponentially. It is scary stuff and something we all need to be aware of. But that is where the solution side comes in. There are three parts to this, the 3 C’s: Connect, Communicate, and Collaborate.
Connect – Who is Involved?
Since we no longer have the luxury of security through obscurity in the OT world, and the IT world often has great security processes, we need to make sure these two teams actually know about each other and break down any barriers that might exist. We need to identify the key stakeholders across all three areas of IT, OT, and CT. These areas of technology are so siloed right now, and because of that, OT can’t leverage the formal and mature security structure on the IT side. OT has been addressing security issues on their own, and are often years behind. If you identify the stakeholders, they can connect and start to communicate with each other.
In a typical company where you have a CIO and COO, they have different missions and there is no one bridging the gap. I want to talk in terms of the security world and bring up the CIA Triad (no, not that CIA). This CIA is – Confidentiality, Integrity, and Availability. IT’s mission is to focus on the Confidentiality and Integrity of data and technology, and Ops are focused on Availability as their main driver. So, a CIO has no problem with a patch management policy that takes the systems down for one weekend every month to install updates. But a COO can’t allow a sensor to be out of operation for maintenance without affecting availability. For example, a power grid must always remain on, and therefore a sensor that monitors some critical piece of the grid can’t just be “down for maintenance.”
By connecting these sides of the company together, we can understand the difference in missions and focus of the different teams, and finding ways to get past those differences. It is hard to communicate and collaborate until you know the whole story from both sides.
Communicate – Talk With Each Other, Not At Each Other
Once IT and OT are connected, best practices can be shared and discussed so they are understood by both sides of the house – it’s important to not just talk AT each other. For example, IT must understand why availability is so important to OT. IT must walk in the shoes of OT to understand what even a brief outage might impact and cost the company. Once you start communicating and really understanding, solutions can be designed to meet all the requirements. Great solutions typically come from a diverse group of people due to the richness of the conversation.
A risk assessment is a great tool that is well understood on the IT side; however, OT folks may or may not be aware of the risk assessment process, but are able to get their minds wrapped around it pretty easily. This practice is a more tangible solution to combat security risks. A risk assessment is useful to understand what assets are important to the organization and what risks those assets might face. Then, they can drill down and see how to avoid or mitigate these risks. IT has been using NIST (National Institute of Standards and Technology) standards and guidelines on the business systems side for decades. Now NIST is focusing on the OT or ICS (Industrial Control Systems) side and in 2015, revised NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security.
Collaborate – Hey OT, Don’t Go It Alone
Now, we are all connected and communicating, let’s get together and start doing things. A quick caveat here – IT can’t be coming in with all the answers, like “here is patch Tuesday, you just get a maintenance window and no big deal.” Except that it is a big deal for OT. You can’t just cookie cutter IT security processes to fit OT. This should evolve into a new or at least adapted solution, but with a lot of collaboration and sharing to get there.
This is a tough challenge – you must build expertise within the organization. Expanding the IT risk assessment solution is where connect, communicate and collaborate can have a significant impact. Once IT and OT have worked to understand each other, the next logical step would be to work together from a holistic and convergent perspective. Take the risk assessment process your IT department is undoubtedly using and expand it to include the OT side of the house. Ask questions like, “Are all our sensors connected to the Internet now?” Leverage the mature IT processes and maybe even some of those IT resources, and implement a holistic risk assessment that includes the OT assets and the risks that they face. If the most expensive asset has a low probability to have a vulnerability, that is different than a low-cost asset having 90% exposure. Evaluate risk with different dimensions. Working together on this assessment will drive collaboration on the much-needed solutions to address the risks facing OT assets and will build a shared knowledge across the different teams. Collaboration leads to knowledge and that’s the key to hardening your OT systems – understand where the risks are and implement solutions that avoid or mitigate those risks.
Maybe in your refinery, you are going to be upgrading a few sensors. Maybe you start there, with a way to incorporate patches. Doing it on a new system, modeling and assessing threats while in design and development is always far easier and less costly than after system implementation. You may find the biggest risk are the legacy components – if that is the case you must attack with a different solution and be creative. This might be when you look at consultants or other experts because I regret to tell you there are no great answers on the shelf.
In the end, the solution lies with strong leadership that advocates for the three C’s – Connect, Communicate, and Collaborate. Teams must arrive at the fusion of OT, IT and CT security problems with a holistic and convergent solution mindset. We don’t have time for barriers. If you only takeaway one point from this series, it is that you must conduct a holistic cyber security risk assessment from all points of view of IT, OT, and CT. How else would you try to address this without taking a convergent look?