Strategies for expertly protecting industrial control systems
Andrew Ginter is the Vice President of Industrial Security at Waterfall Security Solutions. We sat down with him to learn more about his new book, Secure Operations Technology, a collection of affordable and practical approaches that thoroughly defeat control system cyber attacks from the mundane to the arcane.
Based on what you’ve seen, do today’s IT leaders have the proper foundations to completely understand and properly protect their industrial control systems?
In general, I have to say that most IT leaders ask the wrong questions, and so never get the answers that they need to make good decisions.
For example – the IT leaders I work with generally believe that their job is to “protect the information” – the CIA, AIC, IAC, or something, of the information. The ICS leaders I work with pretty much uniformly believe that their job is not to “protect the information” but to protect physical operations from information – more specifically to protect continuous, reliable and safe industrial operations from attacks that may be embedded in information flowing into control systems from external sources.
All cyber attacks are information. The only way to change a control system from an uncompromised state to a compromised state is to allow attack information to pass into the ICS, through either a physical or network perimeter. ICS sites always have perimeters. Almost no information at all should pass from an external source into a control-critical set of ICS networks, hence the focus on protecting industrial operations from information flows.
A second difference I observe between most IT and ICS leaders is their degree of faith in software-based protections. Most IT leaders I work with believe that software-based security controls are enough to secure ICS networks. Firewalls, encryption, security updates, anti-malware and other software systems are the right way to secure IT networks after all, so why should they not also be enough to protect ICS networks?
The ICS leaders I work with disagree. There is no way to restore lost production, damaged industrial equipment or worker casualties “from backups” the way we recover from most consequences of compromised IT networks. The intensity of physical consequences is such that ICS leaders very much prefer physical and hardware-based protection from cyber attacks to software protections.
What advice would you give to a security team leader that aims to make sure a critical network is as safe from attack as possible?
I would encourage IT leaders to adopt the Secure Operations Technology (SEC-OT) methodology that I document in my new book. This is why I wrote the book – nobody else has documented what thoroughly-secured industrial sites actually do.
Some of the terminology and interpretations in the book are my invention, as I try to weave what I observe at secure sites into a coherent whole. The methodology, practices and reference architectures though, are all taken from my observations of thoroughly-secured industrial sites. The secure industrial sites I work with lock down both offline and online information/attack flows into control-critical networks to such an extent that launching an online attack into the site becomes physically impossible, and launching an offline attack becomes extremely difficult.
Details vary, but most industrial sites:
- Define a single control-critical network that is the sum of all of the site’s ICS networks
- Deploy physical and hardware-based protections at the perimeter of the control-critical network
- Deploy software-based IT defenses throughout, as secondary, compensating measures.
This last bit is important. Secure sites do not regard software-based IT protections as sufficient, but do regard such protections as necessary. The experience of IT leaders with software-based security is an asset to ICS teams, but is not enough. Physical protection from information/attack flows are the essential, primary protections.
What were some of the most interesting things you’ve discovered while writing this book? Were there any surprises?
I would have to say that my biggest surprise is the different receptions these ideas have in IT and ICS communities. I have little feedback on the new book of course, since it just released. The key ideas, however, were documented in my first book SCADA Security – What’s broken and how to fix it. That book received mixed reviews from IT practitioners, which was predictable. A lot of IT practitioners ask why physical and hardware protections are necessary, when software protections are adequate to all of the other networks they work with.
Reviews from ICS practitioners were surprisingly positive. For example – I was speaking to the CIO of a medium-sized electric power utility who is one of the pioneers of the SEC-OT approach. I asked what she thought of the first book. Her response was “Andrew, I don’t know how to tell you this – everything you wrote in that book is obvious. It must have taken weeks of effort to produce all that content. What would possess you to spend that much of your life documenting the self-evident?”
The sharp contrast was surprising – disagreement from many IT professionals, but from ICS leaders, feedback that the ideas I am documenting are so self-evidently true they are not worth writing down. There is such a big difference between the two communities.
What is the target audience for your book? Explain in short what the reader will learn from it.
The target audience is IT and ICS security practitioners responsible for industrial sites where the business puts a high priority on continuous and correct physical operation. It is the experience of such thoroughly-secured sites, both large and small, that I document in the book. What readers will get from the book is, hopefully, a clear understanding of the physical and procedural measures that secure industrial sites implement in addition to conventional software-based practices.
What is the most important change you would like to see in security solutions for industrial operations of the future?
I think it is vitally important that we start talking about and understanding the differences between secure industrial sites and everyone else – right now too many people are talking past each other.
For example, at an ICS security conference I might see two people on a panel each saying, “prompt security updates are important” and nodding their heads at each other. But one means “information & attacks flow into my control networks every day, so it is vital that I apply security updates as immediately as possible, especially to my security software, to keep common malware from exploiting these vulnerabilities.” The other means “I have locked down my information flows so thoroughly with SEC-OT practices that it is next to impossible for any information or attacks to gain entrance to my control systems – but nothing is perfect so yes, I apply security updates as promptly as is practical.” On the surface, these two practitioners agree, but they are doing very different things.
Cyber attacks only become more sophisticated over time, so all ICS security installations must become increasingly robust if we are to protect physical operations. It is clear to me that at least some SEC-OT practices are part of every industrial site’s future. We need to be talking more about the differences between SEC-OT and IT-SEC so that more of us can understand what lies in all of our futures.