By Ralph Langner
If you have been in OT security for quite a while, you may be among those who feel frustrated about the lack of progress in reducing the attack surface. After all these years, we still hear about new threats and attack attempts every other day. If you follow the industry like me, you probably can’t tell how often you have heard about a “growing trend” of cyber attacks on OT systems. Why is that, after decades of effort in OT security, several government-sponsored programs, national and international standards, and billions of dollars spent?
Here’s a simple answer: If you focus on only one parameter, which represents nebulous external factors you cannot control, don’t expect progress. Not this year, not next year, not in ten years.
Progress can only be seen in activities you control and where you can measure results.
Progress requires an objective, a plan to reach that objective, and a means to measure how far you have come. All that is missing in the predominant OT security school of thought is primarily concerned with threat detection. If you spend more resources on that issue, you won’t see less threats; you will see more.
The inherent limitation of ICS Detection
You will never hear that the threat landscape is improving from a security vendor or an industry publication because both live in fear. Both will never admit that hackers lack knowledge of industrial control systems or that the “growing trends” they claim are true. Progress can’t be found in things like the real or thought-to-be activities of shady hacker groups that are reported by security vendors and media outlets with an agenda.
What the ICS Detection industry also doesn’t tell you is the following:
Every cyber-physical attack on record exploited fundamental design flaws and omissions in the victim’s environment.
That’s right, every cyber-physical attack we know of could have been prevented easily! You may not have known this interesting factoid because few people analyze OT attacks with the question of how they could have been prevented. (For some background, check out the video below.)
The bottom line is this. If you put all, or most of your OT security resources into ICS Detection, you will not experience progress. As simple as that! The ICS Detection industry needs to push the impression of an ever increasing threat environment in order to support their business model.
What needs to be done
Therefore, those interested in achieving progress must turn to other chapters of the OT security playbook, which are easy to find. Consider the following questions:
- How well are our systems protected? How can we improve this protection? Do we make enough progress over time?
- Are our disaster recovery procedures sufficient? How can we improve them?
Both protection and disaster recovery are prime areas for security execution because they allow for setting objectives and measuring how well they are met. They are also under the complete control of the asset owner.
Let me give you some examples that I primarily relate to ransomware scenarios.
Example 1: Protection
Regarding protection, you want to know how many outdated Windows operating systems you are still running. Windows 7, or even Windows XP. It’s a safe bet that you will still find several, if not hundreds, obsolete and highly vulnerable software products in any typical OT environment. Make a plan for system upgrades and execute this plan, or bury those systems you cannot upgrade deep behind a firewall. Monitor execution by checking the number of outdated OSes in your asset inventory. You will be able to see your security posture improve week by week.
Finding PCs that run obsolete operation system versions is simple with an OT asset management system
Another example: Is your network architecture designed with security in mind? How big are your networks? Do you know how many networks you have and how they are interconnected? Let’s get more concrete. If you already know that most of your OT devices are in one extensive flat network or in a handful of fully routed networks, you don’t need to search long for improvements. If that is your scenario, I would even advise you to forget about CVEs for the next couple of months until you have a solid plan for network segregation and have started executing that plan.
Example 2: Disaster Recovery
When you look at disaster recovery, the underestimated value of security execution becomes even more apparent. Can we all agree that the most prominent cyber risk for asset owners comes from ransomware? Good. If you also admit that your current ways of preventing disasters might not be enough, it makes sense to focus on disaster recovery.
Setting appropriate recovery goals is relatively easy, and SMEs can do it if they can rely on a reliable asset inventory. In practical terms, this translates to your ability to recover systems within a predetermined timeframe fully. Depending on your processes and individual system criticality, that timeframe might be several hours or several days.
The next step is implementing the necessary technology to reach your recovery goals. This comes down to a managed backup system for your PLCs that uses a version control system. Imagine you could tell with a mouse click how many of your PLCs are appropriately backed up and how many are not.
That’s easy with existing technology and gives you a reliable measure of your disaster recovery capability. And on the day when the matter hits the fan, you’ll be the hero who restored operations within hours. That is security execution that makes a difference.
Putting it all together
OT security is getting close to a turning point where more and more people realize they have put too much money into detection technology that keeps them from moving forward.
At the same time, these stakeholders know that other parts of the NIST cyber security framework allow for measurable improvements, especially in protection and disaster recovery. Planning for quantifiable improvements, implementing the plan, and checking the results is what we call security execution.
OT security execution, with its focus on tangible results, is much more akin to engineering types than a threat-centric approach with its often dramatized aspects of epic conquest against evil, unidentified hackers. By putting OT security in the hands of engineers, you are setting the stage for measurable and predictable success.
Since ransomware is the most significant risk for people who own OT assets, security execution is the best way to stop an attack or recover within acceptable limits if one does happen. Having all your OT assets in an OT asset management system will vastly accelerate your journey toward OT security execution with measurable results.