"You never want a serious crisis to go to waste. And what I mean by that is an opportunity to do things that you think you could not do before. … This is an opportunity, what used to be long-term problems…things that we have postponed for too long, that were long-term, are now immediate and must be dealt with. This crisis provides the opportunity… to do things that you could not do before. The good news… is the problems are big enough that they lend themselves to ideas from both parties for the solution."
– Rahm Emanuel (former mayor of Chicago), November 19, 2008
The notion of IT vs. OT
For years, most IT security and OT (operational technology) leaders have been on opposing sides of the aisle. The Chief Information Security Officer (CISO) and other IT security leaders struggle to find the right way to bring security to OT systems that operate critical physical systems such as power, water, manufacturing, and buildings.
The disconnect between IT and OT derives from three types of challenges:
- Technical challenges between IT and OT: OT systems are truly unique in their design and operation, requiring a different approach to security than in IT.
- Incentive structure differences between IT and OT: While operations teams are incentivized on keeping plants operational and cost effective today, security can be seen as costly and disruptive to operations.
- Organizational challenges between IT and OT: Operations do not want third parties messing with their sensitive controls equipment.
Despite the reason for IT OT separation, this is not the first time the it’s been difficult to deal with the long-term problem of securing OT systems.
Impacts on IT and OT during the economic crisis
But we now face a crisis - perhaps one of the most severe crises we have ever faced as an industrialized world. The economic recession/depression we’re in from the COVID-19 nationwide shut down definitely satisfies the definition of “serious crisis” in Rahm’s quote above.
Often taken out of context, the quote refers to being forced to face difficult choices because of a change in the world that two parties could avoid. OT cyber security is one of those difficult choices that requires cooperation, adjusting commonly held beliefs, thinking radically different about solution sets, and taking bold, programmatic action for resolution.
This economic crisis forced the operating technology industry to recognize that the air gap often assumed to protect critical infrastructure and cyber physical systems is gone (if in fact it was ever there in the first place).
As a result of the fear and overall need to radically reduce cost, especially in the oil and gas industry due to price declines, more companies are enabling remote access for employees into the control systems of these OT environments. This isn’t a choice. It is a requirement. The COVID-19 crisis has forced it.
The separation of the plant or operating environment from the rest of the world has gone away for many companies. The air gap was intentionally breached. The press is addressing how to manage remote access securely, which is an important element of the solution, but the World Economic Forum (WEF) published an article on the threats facing utility companies from increased remote work, which raised the more fundamental question.
The WEF article listed four suggested actions for utility companies: 1) understand the risk and what is allowed and not allowed, 2) establish baseline defenses (secure connections, monitor anomalies, and prepare for incident response), 3) build interoperable defenses with your supply chain partners, and 4) re-engineer security for these new workflows.
It is this last point that provides the jumping-off point for how to “not let the crisis go to waste”.
The CISO, the CFO, the COO, the EVP/SVP/VP of Operations of any industrial organization must realize the air gap is gone. The crisis has laid this bare. So, how do you re-engineer security in this new world?
Some may argue to think small: secure your remote access and solve the near-term problem. However, the bold actors will step back and ask like Rahm did: How do we take advantage of the crisis to solve the long-term problem that we all know would exist someday? How do we bring the parties together and get the best ideas from both sides? How do we not just supply a quick fix, but do the things we couldn’t do before?
4 Suggestions for Re-Engineering Security When the Air Gap is Gone
Establish the problem is immediate, and gain IT OT alignment on addressing it now
Without bold action on the part of an organizational leader, this crisis will pass. There are hundreds of near-term priorities right now that need to be addressed. Further, it is human nature to assume, or at least hope, that things will go back to normal after the crisis – i.e. we can put the Genie back in the bottle and re-establish the air gap. It is tempting to take the quick solution of “secure remote access” and move to the next topic.
It takes a bold security leader to gain alignment that this crisis is showing us what the future will look like. Plants won’t be disconnected anymore. Remote access will grow, not shrink. As one of our clients at a large, global pharmaceutical company said the other day, “I’m able to do all of this work remotely. It is saving travel, time, and my team’s lifestyle. Why would we go back to how we did it before?”
The CISO is best positioned to make this call, but it can be any senior-level leader who can bring people together to map out a long-term solution to a problem that is not going away.
Think beyond “secure remote access”
So, why isn’t secure remote access the solution? The reality is that even with secure access, you make assumptions about the security “inside the shell” that you allowed remote access into. The reality is that in most industrial environments, OT systems management – updated inventory management, patching, configuration hardening and management, user and account management, etc. – is not followed as it is in a modern IT environment.
As a result, truly securing remote access to limit impact on sensitive devices is almost impossible without re-engineering the security model as the WEF article mentions.
This includes addressing endpoint security inside that access point by ensuring accurate hardware and software inventory, updated patches (or at a minimum tracked compensating controls for unpatched systems), hardened configurations, closely managed user accounts and rights, accurate and updated internal networking protections with monitored rules, etc. In short, it is applying most IT security management practices into the OT environment.
Establish a robust cyber security program, not a one-off tactic
Re-engineering cyber security will not happen overnight. Successful CISOs are not wasting the crisis but establish a clear end state for where the organization will be, and by what date. Next, they establish a cyber security program that ties pieces together over time into an integrated solution. Too often, crises lead to rash, quick, short-term decisions.
A programmatic approach ensures the tools you deploy and the procedures you create today – in the time of crisis – are the foundation for a long-term solution, becoming increasingly valuable as new components of the program are added over time.
Converge ITSM into OT systems management
It is easy to find someone to tell you what you CANNOT do in OT, but it is critical that you find out what you CAN do safely and efficiently. The disappearance of the air gap means it’s time to ask the hard questions. The good news is there are lots of things you can do in OT, with the right approach.
Verve has worked in operating environments as controls engineers for over 25 years. We’re here to tell you that you CAN safely bring the best of IT-type security capabilities to OT (true risk scoring, full asset visibility, real-time vulnerability management without expensive taps and span ports, integrated patch management, centralized security reporting, etc.) with the right set of tools and techniques.
The current economic crisis is horrific for the loss of life, jobs, wages, and profits. But it doesn’t have to be wasted. It is forcing organizations to see the future of a remote industrial landscape. Unfortunately, with current security practices, that landscape looks pretty scary.
Now is the time to address the long-term problem that has been avoided for too long. The air gap is gone. How will you respond?