The challenge for modern cyber security engineers working in the OT/ICS area involves modernizing the weak or missing protection controls in existing infrastructure toward more advanced and effective solutions that will stop malicious actors.
Here’s a transcript of the podcast for your convenience.
Hello everyone, this is Andrew Ginter, I’m the VP of Industrial Security at Waterfall Security Solutions. I’m here to talk about industrial control system security with Ed Amoroso, he is the CEO at TAG Cyber, and the former CSO at AT&T. Hello Ed!
Edward Amoroso: Hi Andrew, how are you?
Andrew Ginter: I’m very well, thank you. You know, we did this five piece set of articles on industrial control system security, I was thinking can you speak to the first one. We talked about summarizing the space and you’re a guru on the IT side, describe the space for us and tell us what you thought about the space when you started looking hard at it.
Edward Amoroso: Yeah, happy to do. It was such a pleasure working with you. I learned quite a bit about operational technology as we went through it, and that might even be a pretty good metaphor for the whole project, like this idea that there really are two very different legacies for people who are doing critical infrastructure security now, people come from you mentioned earlier, I grew up in and around the internet, I’m a computer scientist, so I learned the discipline in the context of all the familiar things you deal with as an enterprise – firewalls, protocols, encryption of protecting data on computers and servers and network, and on and on and on – what we would call IT security.
It’s such a delight connecting up with you because I know this separate legacy coming to cyber security through critical infrastructure, whether it be industrial control, or safety, or even life critical systems that in many cases have technologies that might look somewhat foreign to a person like myself using protocols that are a little different, and having objectives that are different. Controlling a power plant is a little bit different than running a law firm, fundamentally different threats and different technology.
So, I think a lot of the emphasis as you know that we focused on was seeing if we can’t help each group maybe understand a little bit more about the adjacent or corresponding area, because I think we both agreed that really the only hope we have for protecting OT or industrial infrastructure is to take the best element to both disciplines and merge them into something that’s much better. So yeah, so such a nice project I enjoyed it and I sure hope people enjoyed reading our article.
Andrew Ginter: There’s a lot of similarities in terms of technology we see on the IT in the OT space, there’s some differences as you point out. In the sites that I visit, every one of their first priority is safety, and that has maybe unexpected consequences for industrial security systems.
For example, I asked the site once, a big chemical plant, they refurbished the entire site every three years. They take it down for, I don’t know, six weeks, five weeks, and change everything, inspect everything, fix everything, upgrade all the software, and I asked “After all of that, every change you just made is a threat to safety, how do you know that you haven’t broken something, how do you know it’s safe to start this plant again?” And the engineer I asked basically said “We don’t.” When we start the plant up, we fire everything up to 5%, we cancel all vacation, all hands on deck, 12-hour days, we look around trying to find problems – physical problems, software problems, everything.
It takes two and a half weeks of this to bring the plant up to full capacity again, and the whole time where we’re fixing problems, we’re inspecting, we’re watching the memory usage, we’re all over the plant and finally we’re able to start standing down and Microsoft puts out a software update, a security update, with you know 23 changes in it. Are we going to apply that update to the systems controlling the plant? If we did, how would we know that the plant is still safe to operate? Would we have to shut everything down, bring all hands on deck again, 12-hour days, and bring it back up, for two and a half weeks?
So, you know the simplest things that we take for granted on the IT space like software updates, they are problems on the OT space. While we use a lot of the same technologies in the OT space as we do in the IT space, we have to manage them differently because of the safety and reliability imperatives.
Edward Amoroso: You know the example that you give that case study is a great one, because it does illustrate that the risk equation is the same for IT and OT. I mean there’s certainly consequences to anything like an update, but in an industrial application that’s so lopsided on the consequence side to your point and to the example you just gave, where there you do an update in a business environment still it what’s the worst that can happen, but when there could be real consequence or loss of life or something, then the risk is higher. But I think the equations the same, it’s just the interpretation it’s fundamentally different. It’s just so much more consequential.
So, I hope it’s people you know go through the work that we provided and we’ll keep that in mind that they all have to go relearn a lot of things like I said, your baseline understanding of risk it’s still about probability and threat consequences on that, doesn’t really change. But, if you’re operating in the environment Andrew that you and the team at Waterfall Security work in – OT space – then you better be prepared for some very high consequence scoring in the risk equation. I think that is a major difference that IT people would notice immediately.
Andrew Ginter: Okay, well that’s what I had. Any parting thoughts Ed?
Edward Amoroso: No, just that I hope that as people go through our material keep in mind that, you know the whole idea here is to take the best elements of OT and IT and create something better. There’s been at times in my world, internet IT security, comments that I see that I don’t agree with, where people will say “You know, those darn OT guys doing investor over there, a bunch of dummies, they don’t understand security”, and Andrew you and I know that nothing could be further from the truth. People building out infrastructure for OT, well-trained, smart, probably studied engineering at an university, and work hard. So, it’s not that people are dummies, it’s ridiculous, but what it is, is simply the fact that we hadn’t emphasized cyber security concerns. So, now that we have an opportunity I think in our industry to bring these disciplines together and make things more secure. So, I hope people read our work and learn.