The 5×5—If it blinks, it sinks: Adventures in securing operational technology
#1 What is the most common misconception about solutions for OT security?
Andy Bochman, nonresident senior fellow, Global Energy Center; senior grid strategist, national & homeland security, Idaho National Laboratory:
“The most common misconception is that for practical purposes, one can have confidence in anything called an air gap in 2021 – or in anyone still using that term.”
Bryson Bort, founder & CEO, SCYTHE:
“The biggest misconception is why there are systems with end-of-life operating systems and that the “just patch it” credo does not just work. The primary design considerations for this equipment are high availability and a long life-cycle. As a result, they will inherently outlast the vendor support for those operating systems. You cannot patch what is not even available, and that only applies to the equipment that even has the ability to be patched (many do not).”
…
#2 The ransomware attack on the Colonial Pipeline in May 2021 made front-page news. What is your biggest takeaway from this incident with regard to OT security?
Bochman: “My biggest takeaway is that, as with Norsk Hydro, ransomware need not cross IT/OT demilitarized zones or reach into OT systems to wreak havoc on operations.”
Bort: “OT does not need to be directly affected by an attack for there to still be an impact. Just the threat of affected operations can be enough. Colonial Pipeline’s OT was not directly compromised, but the pipeline operators took its systems down because scheduling and billing were not operating effectively, and they were concerned that the attack would spread to OT.”
…
#3 What under-the-radar sector relies on OT, the security of which we may take for granted, that is prime for exploitation?
Bort: “Instead of a specific sector, which are fairly well defined by Presidential Policy Directive 21, I think your average business does not understand that they operate in an OT environment. OT underpins modern society: water, electricity, and fuel. Without any of those elements, we go back to the Stone Age pretty quickly. Furthermore, there is OT integration into office buildings for automation systems, HVAC, etc. You work in an OT environment; you just did not realize it.”
…
#4 What is one policy change that you would like to see in order to better protect core critical infrastructure and the OT that operates it that could realistically be implemented in the next two years?
Bochman: “Aim for resilience, understand how to operate in manual or near-manual mode, and practice doing it repeatedly.”
Bort: “The Cybersecurity and Infrastructure Security Agency (CISA) should provide a technical catalog of tools and configurations that it curates and maintains for the sectors under its purview. Instead of thousands of places fundamentally trying to individually solve the same problem, we can centralize the work and provide an improved baseline. Instead of throwing more paper at asset owners and operators, the US government can offer real carrots that owners and operators can take advantage of.”
…
#5 What is the low-hanging fruit for better protecting OT? Where can the least resources go the longest way?
Bochman: “The answer to the low-hanging fruit question is always: do a fuller job with discovery, asset management, inventory, or whatever you want to call it. How can one secure what one does not even know they have?”
Bort: “Segmentation is a powerful defensive tool – what cannot be touched, cannot be hacked. However, the challenge in implementing segmentation is that it increases maintenance and can make operational tasks more difficult. Security is not the only factor in deciding what or why something should be architected a certain way.”
