As I reflect on the S4x20 cyber security conference held from January 21-23, 2020 in Miami, Florida, I feel empowered by the opportunity to share insight into challenges facing those in ICS/SCADA and critical infrastructure.
Managing, operating and maintaining industrial control systems requires skilled operators, strong technology, reliable firmware and hardware, and many additional resources. The world of industrial cyber security is always evolving, and S4x20 offers a platform for open discussion and debate around OT best practices, trends and threats.
What is S4x20?
Known as the largest gathering of ICS security talent in the world, S4x20 was designed to foster discussions amongst OT cyber security leaders to discover innovative ways to deploy secure and resilient industrial control systems.
Dale Peterson of Digital Bond, and founder of S4 events, once again put on a spectacular cyber conference. The most impressive parts of the ICS event were the voracious following of several hundred attendees and an incredible list of speakers from the Operating Technology (OT), Industrial Control System (ICS) and critical infrastructure fields.
The attendee list continues to grow each year, attracting ICS personnel with interest in improving OT cyber security, optimism for change wanting to be seen in ICS security, and eagerness to have a hand in driving the future of cyber security innovation.
Having FOMO? Don’t stress. I’ve compiled the biggest takeaways from S4x20:
Security needs to be engineered into solutions with consideration of impact and layers.
Several experts such as Sarah Fluchs, Chris Sistrunk, and Andy Bochman stated the obvious: You should engineer solutions based on impact and risk, not after the fact. There are frameworks, layers, technologies, most of which are excessively old. If you are early in your cyber security journey, reach out to OT experts for assistance.
Legalities and cyber security insurance need to be managed successfully.
Ignoring legalities which may or may not arise as a result from a cyber security incident, or lack of coherence to a standard or initiative, insurance is not a remediation or prevention mechanism. Cyber security insurance should be used after a cyberattack occurs to manage costs of the incident. It does not absolve you from the attack or costs.
Cryptography will be difficult to implement in Operational Technology.
Public Key Infrastructure (PKI) has benefits in several realms, but the question of whether PKI can work effectively in OT remains unknown. Cryptography to secure communication from third parties has not been fully vetted. Perhaps a body such as ISA’s Global Cybersecurity Alliance could lead the charge on researching a solution with a sample of realistic asset owners.
Time, NTP and GPS/GNSS need to be considered as risk vectors.
In relation to the previous point about cryptography, virtual private networks (VPNS), current secure communications, and many real-time systems need very quick and accurate time sources for the validation of objects, such as certificates. What will occur if we don’t manage a risk that has been observed and known about for decades in industries fraught with edge-cases where time, accuracy, and validation is crucial? This question remains unanswered but doing nothing is not a solution.
New hardware designs enter the industrial cyber security market.
Better security designs applicable to OT markets are emerging. Some cybersecurity hardware works at the network layer, at a speed that seems to be appropriate for many applications. The good news is hardware often represents a set of security vulnerabilities or errata often missed by research, remaining uncategorized.
Most vulnerabilities still require physical, poor configuration and/or network access to be realized.
This is often due to poor cyber hygiene, misconfiguration, or a human insider element. Requirements to identifying vulnerabilities represent a large focus area to reduce incidents, lower risks of disruption, and improve fiscal performance. This challenge further compounds the risk of ransomware when asset owners struggle with software patching, vulnerability management, and effective recovery practices, such as restoring virtual machines, recent and secure backups.
OT application logic and configuration should be examined as a threat vector.
We often focus on the firmware, applications, and devices, but never the security of the most important part: the logic running our OT processes or the device configurations. As in business or web applications, these flaws are harder to detect and fix, so other compensating controls and capabilities are needed to handle the edge cases.
Security Bill of Materials (SBOMs)
Security is typically an afterthought to product design, maintenance, implementation and general lifecycle. And yet, we work in a world where cost is based on materials and delivering products to customers. In a perfect world, this would make sense if it were physical, such as a special type of re-enforcement bar (rebar). In software, this is not the case.
Engineering security into a framework is beneficial to expose hidden costs. While security generally raises costs over time, it lowers costs based on improved quality in a product and less effort over its lifespan. Most security defects or “flaws” are a result of poor engineering and implementation.
Threat hunting and anomaly detection tools are still shiny objects that require humans to investigate alerts and respond.
Unfortunately for OT environments, cyber incidents take place without warning and require immediate response. Rebekah Mohr of Accenture highlighted the risks of chasing the shiny object in her presentation. This theme echoed in the hallways with operators that I talked to. Successful security requires prevention, restoration, and response procedures to be concrete, documented and validated.
What good is threat intel if there is no way to respond? Cyber security budget should be spent on primary capabilities before extracting value from threat hunting and passive detection if you are early in your cyber security journey. While there is still value in threat hunting and vulnerability detection tools, they don’t gather the level of detail needed for extended physical and logical asset management.
As I step back from these nine topics, there is an overarching theme that emerges around the need for a more rigorous design and management of the security of these environments. Whether in the form of engineering the control systems with security in mind, ensuring vulnerabilities of core infrastructure are understood and remediated, or avoiding the “shiny object” as Rebekah noted about anomaly detection, there is an urgent need to think about managing these environments more intentionally for security protection.
Will you be joining the next S4 event? I hope to see you there.