People, Processes, Technology
Knowledge – Data, information security and cyber security professionals are most familiar with the protection of IT environments (protocols, products, tools and more). In most cases, they do not understand the change required to adapt their knowledge when assessing risks, choosing protection solutions, monitoring, and preparing a recovery plan for operating environments.
Collaboration – In most cases, the trust that runs the operation and maintenance of the systems in the production environment is not granted to the Information Security Manager, or to the organization’s Information Systems and Communications Networks Manager. The ability to make reviews/changes and the hardening of the requirements leads to the need for deep collaboration and trust between the organization’s two different units.
While cyber defense professionals usually have the knowledge required to talk to IT professionals, the knowledge and trust required for dialogue with operations/control
professionals are different for the most part (sector specific knowledge, such as a variety of concepts relevant to a production environment such as PAC, which is inexistent in the IT network, understanding of chemical/engineering processes, etc.).
External parties’ dependences – While the IT environment can be used by enterprise employees and local vendors with whom the organization has good familiarity (including background work/ reliability checks), in working with these manufacturers, support and maintenance are often provided by dependent professional parties and are under warranty, and the client’s ability to influence them is low (such as a system vendor or expert software from abroad).
Expensive cost of production line and business operations – Any need for upgrading, updating or downtime is immediately translated into large sums of money and risk to the control process. As part of risk reduction, a dedicated area for running files and simulations can be considered as a preliminary process to the network online process.
“Halting/Downtime” cost – Difficulty in balancing risk and locating appropriate controls that prevent the process from being halted versus locating compensatory controls that allow for risk reduction without halting and compromising the production line.
Limited supply of dedicated protection solutions – While solutions such as code analysis, vulnerability detection, staging systems simulations and others are available and embedded into many systems around the world, they may not always be compatible with dedicated ICS environments. In addition, these tools are not always approved for use by the manufacturer or by the equipment’s operators, due to concerns regarding operational damage, liability coverage, etc.
Use of old and unchangeable technologies – such as a network that has not been given proper security inputs in the characterization and construction process; the use of old controllers, protocols and traditional communication based on old and unsupported classical technologies; all leading to difficulties in running antivirus or security updates, etc.
Equipment Lifecycle – While IT equipment is replaced relatively frequently and proportionately in organizations (taking into consideration the organization’s financial cycle), the replacement of a controller or component of SCADA involves significant efforts, resources, and financial costs to the organization. These increased costs lead to keeping equipment that is 10-30 years old or more, which can be protected using limited tools that do not fit with the contents.
In light of all the above, let me share with you a successful use case on pivoting into OT cybersecurity.
Building trust and a common language between IT cybersecurity personnel and OT chemical/engineering personnel – It is more often than not that information security requirements and guidelines are handed down from “the ivory tower” seated with excellent cybersecurity personnel whose experience stems from IT orientation, to the Industrial Control systems and personnel, without an actual understanding of the requirements and without ever setting foot on the production floor, meeting the people, systems and understanding their operational needs, including the relevant protocols, products, tools and more.
In most cases, these types of guidelines, largely including security guidelines that if applied would lead to the stopping and compromising of the production line in most organizations, were never de facto implemented by the Industrial Control personnel. In order to build the basic trust that is required between the two disciplines, we must go down to the field and get to know the Industrial Control personnel, we need to be present in their day-to-day operational routine, we need to learn the language and terminology and the operational processes, while teaching them the basic concepts from the world of content to cyber security. Only then, can we start to offer common courses of action and collaborations that are built on trust, common language, and technical expertise.
Training & awareness – There are very few institutions and organizations in the world that provide professional cyber training to OT environments, and those that do provide professional training are unfortunately not affordable to the general public. There is a vital need for more professional training programs on OT environments for cybersecurity personnel, since full time Industrial control personnel workers cannot be expected to add cyber defense tasks to their daily job function.
Organizations must make the necessary investments and hire full-time operational cybersecurity experts rather than part-time ones. Academic institutions and research organizations need to generate additional investment in building laboratories and arenas where operational cyber personnel can be trained. At the end of the day, the first responder to a cyber-event is a critical part of the mitigation process. The engineering team is in fact, the first line of cyber operations’ defense.
“In preparing for battle, I have always found that plans are useless, but planning is indispensable”. (Dwight D. Eisenhower)
Information Sharing, Indications and Warnings – Information sharing underpins any true partnership and is necessary to mitigate the threat posed by a cunning, adaptive, and determined enemy. To formulate comprehensive security plans and make informed security investment and action decisions, individuals and institutions alike require timely, accurate, and relevant information.
Accordingly, we must adopt measures to identify and evaluate potential impediments or disincentives to security-related information sharing and formulate appropriate measures to overcome these barriers. We need to develop and facilitate reliable, secure, and efficient communications and information systems to support meaningful information sharing among various internally IT/OT entities and externally public and private entities.
Cyber Organization quality assessment program – One of the missing links in organizational cyber sturdiness is the lack of understanding of the most important roles in any organization – the decision-makers. From my experience, this is one of the common factors of cyber defense and resilience failures, based on analysis of many cyber events and compromises. The creation of a fully executable plan and associated documentation to identify gaps and build a highly efficient Cyber Organization.
To summarize, as the risk landscape becomes more complex and fast-moving, it exposes the critical infrastructure for weaknesses. We need to remember that “Cyber security isn’t just about technology: more than anything, it’s about people”- only when we work together and collaborate, can we illuminate the darkness